Founder Introduction: Adrian Kitto
Before I co-founded Detexian as the CTO, I had a long career in Information Technology which started onboard HMNZS Te Kaha as an electronics technician. Working on classified equipment at sea was my first exposure to both security and doing things right the first time, a mantra I still live by today.
Once I left the Navy, I did a number of roles starting first with technical before moving into architecture roles, many of which were at regulated entities including financial services, health and energy. In 2017, Jo and I decided to relocate from New Zealand to Melbourne to further my career and so we could give our daughter more education opportunities.
When I moved to Melbourne, I was immediately drawn to the fusion of Security and Development that was emerging here. I joined the Melbourne DevSecOps group, spoke at and became a regular participant of the meetup scene. This in turn led me to meeting people in the startup community, one of whom introduced me to my co-founder Tan Huynh. The start-up scene fascinated me. I had run companies before but never like this. I was drawn to the idea of building a better product to solve real problems that businesses have with cybersecurity and taking it to scale.
At the time, Tan was already leading Detexian through the CyRise accelerator in Melbourne Australia and had a host-based intrusion detection solution in market trying to find Product-Market-Fit. He brought impressive business knowledge with his investment banking background and Stanford MBA. I was drawn to his experience and agreed to join as a co-founder, bringing my technical and cyber security experience to the company. During the first two months of me joining Detexian, with the help of Cyrise mentors, it was becoming clear to me that the host-based intrusion detection product did not achieve the market traction we had hoped for. Our customers weren’t falling in love with it and trying to get feedback was like getting blood out of a stone.
During that time, Tan had been recommended to talk to our now other co-founder Andy Budiman, the former Director of UX and Design at Nintex, about improving the UX/UI of our host-based intrusion product as a bid to win back customers. We arranged to meet Andy at a pub. The supposedly 30 minute chat about UX/UI turned into an eye-opening conversation about Human Centred Design which, simply put, is an iterative process of designing and making products based on customer feedback from day one. It turned out Andy is a Human Centred Design specialist, who had built and worked in several startups. I had to leave for another meeting after 90 minutes and left Tan and Andy still discussing the applicability of the concept to Detexian.
What was becoming clear to me was that the host-based intrusion detection product had been built to seek its customers, and not on what its customers would have wanted.
Tan called me that evening and said we needed to change our approach or we’d die. That was the moment that we decided to part with the old product and start afresh with help from Andy. By the weekend, Andy, Tan and I found ourselves in a meeting room with a whiteboard, brainstorming ideas about a new product. We never looked back.
As a solution and cyber security architect I’d been in many inceptions and elaboration sessions but this was a new process for me.
We started out with three basic ideas:
Security tools are complex and often require specialist skilled resources to operate and understand. Could we solve / reduce this?
The changing regulatory market, many countries were bringing in cyber security assurance requirements. How can we help companies keep up with this?
The SMB / SME market is ill equipped to be cyber resilient, the SaaS solutions they are using often change faster than they can hire or train their staff. What could we do to reduce this burden on them?
From that session, we proposed a new thesis:
A product that wouldn’t need specialist skills to operate;
That would keep up with changing regulatory requirements;
That could help the mid-market companies or their MSP’s with lean (or often no) security practice achieve compliance while consuming any SaaS.
As part of this, Andy got me to draw on a whiteboard “What information would you want to see and how would it be laid out?”. For those of you who know me, operating a whiteboard is my absolute favorite way to work in a meeting. I drew 6 panels with some relevant information in it. Andy in turn turned this into a wireframe as below.
Andy was a firm believer that we needed to solicit feedback on this thesis before any coding was started; mostly to prove the pain point was valid and partially to prevent rework. So Tan and I took this wireframe on the road. We tapped into our networks and interviewed at least 10 target personas, some MSP’s, some internal customers and some industry insiders.
The feedback was that yes, too many dashboards with too much complexity was a real problem. They didn’t know what cyber regulations applied to them, how to achieve compliance but acknowledged it was something that was needed. The overwhelming call from these interviews was simplicity was being called for.
This process was a revelation to me. Building the previous product had taken nearly 12 months to find that there was no demand. Under Andy’s direction, we accelerated the discovery and design process to just six weeks and discovered the key principle that still rules Detexian today “Simplicity”. I was now a convert to the practise of Human Centred Design! Over the next 12 months, we continued this process of iteration to build our SaaS Security Posture Manager and onboard our first paying enterprise clients.
This simplicity principle has changed me as a cyber security professional who had long thought that a cyber product needed detailed graphs, required analysts to operate and long winded business cases to justify. In reality, to be compliant with regulations and win more business, our customers just need simple evidence that their security controls are effective.
If the generation of this evidence is complex or requires constant reengagement of the business owners of these SaaS solutions, then it doesn’t happen;
If this evidence is complex to understand then the business will not uplift their security posture;
If the business isn’t uplifting their posture, the dreaded breach is inevitable.
This is what both Detexian and I are setting out to deliver for our customers: the evidence.
I now feel that my job as a co-founder of Detexian is to prepare our customers to have simple conversations with their business stakeholders, their external auditors and regulators and most importantly, their customers about their security posture. It’s not the role I thought I would have but it is one I love and will continue to do.