Rome wasn’t built in a day… but they were laying bricks every hour

There’s no tool capable of measuring the distance between a lightbulb idea and a viable product – whether that be in time or money.

Creating anything of consequence out of thin air – especially intellectual property (IP) – is blood, sweat and tears on steroids. Remember, Rome wasn’t built in a day.

The popular metaphor is often attributed to John Heywood – an English playwright in the 16th century who borrowed the phrase from a medieval French poem dating back to 1190 – and is common vernacular in the corridors of executive power.

Akin to patience is a virtue, the promise that something speculator can only be realised through super-human endurance is widely accepted as sacrosanct.

And with good reason because it’s true. But perhaps the modernised version from James Clear – author of the no.1 New York Times Best Seller, Atomic Habits – is more applicable… Rome wasn’t built in a day but they were laying bricks every hour.

“We always planned to launch in July, it’s just the year that kept changing,” smiled Dane Meah, armed with a healthy dose of self-deprecating humour.

Starting a software vendor from scratch is not for the faint of heart. Bulldog tenacity isn’t bottled and blind enthusiasm isn’t limitless.

This was the case with MyCISO, co-founded by Meah and Simon McKay as a software-as-a-service (SaaS) application designed to simplify security management for the masses.

MyCISO represents the second Sydney-based start-up for the cyber focused duo, following the launch of InfoTrust in 2015 – a specialist managed security service provider (MSSP) which was recently acquired by Spirit Technology Solutions for a total consideration of $34.6 million.

Previously, both had worked in a vendor capacity at Symantec targeting enterprise customers in Australia.

“Personally, I love creating things and the entrepreneurial component of coming up with ideas and building products,” shared Meah, speaking as CEO. “We did that at InfoTrust and brought a few products to market but with MyCISO, it’s difficult to execute a product business inside of a margin business.”

Naturally, an opposing mindset exists in a services company in which people are the fundamental assets, aided by the power to switch solutions based on market sentiment. In a product company however, the potential to scale is far greater but it requires an all-or-nothing commitment to the offering.

Unsurprisingly, both generate different cultures.

“At InfoTrust we had the ability to pick our products but obviously at MyCISO, what you’ve built is what you’ve built,” Meah acknowledged. “I love being in a product business to continually improve the offering and create scale.”

Building a software vendor, brick by brick

At the time of launching InfoTrust in 2014, the market was under a wave of attack from CryptoLocker ransomware – notably Australia Post and ABC News – which escalated demand from concerned businesses seeking to avoid a repeat.

In response, Meah and his team built a self-assessment tool – Ransomware Readiness Assessment – to help boost preparedness levels among customers. The offering started off in a spreadsheet, then evolved into a WordPress plugin and found a home on the company website.

What started out as simply value-add morphed into a conversation with McKay about converting a spreadsheet turned plugin into a fully-fledged productised platform.

By 2017, the business hired a security consultant that understood the concept and strategy journey to build a governance, risk and compliance (GRC) practice, spinning up the platform in parallel.

“We started work and knew exactly what we wanted, to make security consulting more accessible to the masses,” Meah said. “So, we started building and cutting code.”

Meah recalled advising a journalist at the time that the platform would launch in July.

“Then July came and went…
“Then the following July came and went…
“Then the following July came and went…”

The product eventually entered beta in 2020 but was hindered by countless challenges and changing developers along the way.

“We initially used a Canberra-based development firm who understood the security market but they got us 80% completed and then just disengaged,” Meah said. “We made the mistake of engaging them on a fixed price so they’d reached a certain point and were done.

“It was very difficult managing that process as there was nothing in it for them to continue. We kept throwing $30K, $40K, $50K at the work which in retrospect was chump change compared to the true cost of building a compelling platform.”

Bruised from the experience, an in-house development team was then hired in an attempt to take control of the project given the bulk of the work was completed.

“We thought we were nearly done but two years later, we were still running into issues redeveloping components,” Meah sighed. “That process finally got us to 2020.”

With an internal set-up in place and the beta stage progressing, the next spanner in the works was not a product issue, rather a personnel problem. The GRC expert resigned – “Dane, I hate to do this but I’ve got to get back to my home country to look after my parents”.

That was the “oh, crap” moment.

Armed with the sobering realisation that he’d have to get up-to-speed with the product, Meah immersed himself into the platform and spent half a day clicking features and running assessments.

“Each time I clicked, an error would pop up saying that I needed to do X and Y,” he said. “I didn’t have a clue what I was doing so I called back our GRC guy and asked him to take me through everything… this was the first day after he left.”

While watching the product unravel like a “beautiful mind” – mapped out with arrows darting across the whiteboard to data objects, incident rates and control issues – Meah managed his emotions.

“I said ‘thank you very much’ and when the door closed, I had my head in my hands thinking this was never going to fly,” he accepted. “We made the mistake of hiring the most intelligent genius to design a product that was supposed to simplify and democratise security management for the masses.”

Deflated but not defeated, MyCISO recruited a user and customer experience (UX / CX) product owner with a deep understanding of how to create frictionless engagement. Phil McCann is still with the business today and has a background in serving tens of thousands of users through mortgage applications and comparison websites.

“Okay, let’s have a look – we can work with this but give me six months,” recited Meah, noting his relief at McCann’s optimism that years of development would not go to waste. “Six months passed and we had to start again.”

Pausing to cross-reference with a calendar, Meah said that by mid-2021, the fledging software vendor was 5-6 years into development with a heavy investment burden and a sizeable team.

“We’d be going at this for years and had nothing to show for it,” he accepted.

At this time, Meah stepped back from InfoTrust as McKay took control of the MSSP amid a challenging COVID-19.

Development of MyCISO was outsourced again to a “fantastic” software development firm and within three months the platform had caught up, even if the original code had been dropped.

“We could have been shy but we showed the courage to continue,” Meah said. “We’d done it properly this time from the code and software to the infrastructure build – everything was secure by design and aligned to our vision.

“Within six months, we were in testing and it was slick. Then we moved into beta in March 2022 and launched in July 2022 with a 100% conversion from beta to customer.”

Cynics could question the value of sharing the blow-by-blow account of a seven-year software rollercoaster – focus on the destination, forget the journey.

But as Clear explained, “Rome is just the result, the bricks are the system. The system is greater than the goal. Focusing on your habits is more important than worrying about your outcomes”.

In the context of MyCISO, that is the secret sauce.

All systems go, ready to launch

Meah is filled with acclaim when acknowledging the many people that have contributed to the success of MyCISO yet remains unsurprisingly humble when assessing his own contribution.

Armed with decades of experience in cyber security – serving enterprise and mid-market customers across Australia – Meah’s strength is not in the specialisation of software building, rather the unrelenting pursuit of user value.

“I took on the role of customer champion, and still do,” he said.

To aid the UX and CX efforts of McCann, Meah created three buyer personas that would shape the features and functions of MyCISO.

“Our persona isn’t a GRC consultant,” he qualified. “We named them, we know the names of their kids and what pets they have – we went very granular to truly understand their pain points.”

Counting on his fingers across the boardroom table, Meah outlined:

1. Terry the Technical Manager: Terry comes from a networking background and does everything to look after 50-250 employees in his company – security is on a long list of responsibilities.
2. Charles the CIO: Charles is strategic and values strong engagement with the board.
3. Sally the CISO: Sally is the first CISO in the company and is dealing with a very stressful job on a continuous audit. Expectations are up here but the ability to execute is down there. Each day is Groundhog Day… audit, audit, audit, report, report, report.

“We’ve never lost sight of solving problems for these three personas,” Meah confirmed.

From a product perspective, MyCISO has addressed such issues via three key modules:

• Assess: Adopts the security consultant’s journey of gaining business context and setting goals, performing control and risk assessments and finally creating a security strategy. The platform is designed to achieve every step – whether understanding the best security framework, evaluating maturity levels or building a first-time strategy.

• Suppliers: Tackles the rigorous process of on-boarding new vendors and third-party suppliers for businesses, streamlined from configuration, assessment, review and collaboration.

• Culture: Drives awareness among end-users and the C-suite through increased engagement rather than tick-box exercises. The platform incorporates four core elements – strategy, training, attack simulation and engagement collateral.

“Traditionally, this was all the job of a person with a clipboard or spreadsheet,” Meah explained. “They would walk around and ask 150-500 questions then go away with lots of data and spreadsheets before writing a report.”

The highly manual process usually took 2-3 days of report writing with the output “relatively basic” compared to what MyCISO can produce within 30 seconds.

“Click, generate and through our algorithms, it’s done,” Meah said. “We had a waitlist during the first few months and continue to bring customers on at pace – on average two per week via an annual or multi-year subscription.”

When pressed, Meah offered a scorecard of 8.5 out of 10 on the progress made by MyCISO in the first year after launch, arguably a little harsh given the metrics achieved so far.

Sales targets were hit during the first year and approximately 80 customers are now on-board, including tier-one insurers and state government entities in Australia.

But the team is refusing to take early success for granted – “we want to ensure our customers have a positive experience and renew so we can avoid a leaky bucket scenario”.

Supporting heightened end-user demand is an expanding ecosystem of channel partners seeking to sharpen security offerings. The plan is to create market interest and bring an ecosystem of strategic MSPs along for the ride through a 100% indirect model.

Internationally speaking, MyCISO has also formed partnerships in the US alongside ongoing conversations in the UK, mainland Europe and Africa.

“We’ll have an international presence within the next three years,” Meah confirmed. “Actually, I probably should just say July and miss out the year.”

While said in jest, Meah’s journey is one of inspired perseverance and an unequivocal commitment to quality.

MyCISO wasn’t built in a day but the team were laying bricks every hour. Each brick is cemented with unrivalled knowledge and unparalleled expertise – something that simply can’t be bought or replicated.