IriusRisk is a cybersecurity company that uses automation to evolve threat modeling from a slow and manual security process, which is often still conducted on whiteboards, to an easily implemented practice that can be consistently applied across an organisation’s product portfolio, creating security-by-design, at scale.
Simply put: threat modeling helps enterprises gain visibility into risks in their product from the design stage of the software development life cycle. It provides security and engineering teams with a list of threats and detailed countermeasures to fix the vulnerabilities that they may encounter before and throughout development. This delivers time and cost savings by relieving security architects of preventative hazards and speeds up deployment for engineers as a result. With a more iterative approach to development and security, IriusRisk is able to remove any barriers in communication and process between security and engineering teams, which often leads to a bottleneck of security testing and expensive redevelopment work.
Typically, 50% of security vulnerabilities are caused by a product’s design flaws. We help companies ensure that products aren’t distributed with these high-risk threats that would require fixing post-production and, critically, detect the flaws that application scanning tools simply cannot find. Our clients are therefore able to build more secure, resilient products that protect their assets, reputation, and customers.
How did you come up with the idea for the company?
Stephen de Vries – who I co-founded IriusRisk with – and I worked at a cyber consultancy together. The focus was on penetration testing – also known as ethical hacking – which is an exercise that aims to crack companies’ cybersecurity defences and reporting which vulnerabilities we found in the process.
Something changed for me when we had a call with a company that wanted to conduct pen testing of three applications they were going to develop in the near future. We were very busy at the time and we knew we were still going to be even busier when the applications were fully completed in six months, so we thought it would be useful to speak to the developers before they even started coding. Stephen and his team already knew what they were going to unknowingly introduce potential threats before they had written a line of code! Given that developers are not ordinarily security-trained, this is perfectly normal.
Six months later, when the applications were sent to us for pen testing, there were 50% fewer vulnerabilities than usual. And this is how the idea for IriusRisk was born: we would create a platform that would automate security into the design process.
More from Interviews
- Monica Eaton, Founder and CEO of Chargebacks911 and Women In Tech Judge, Explains What She’s Looking for From Entrants
- Meet Owen Thompson, CEO of Cambridge Future Tech
- Investor Insights: Everything You Need To Know About Index Ventures
- Investor Insights: Everything You Need To Know About Downing Capital Group
- Meet Sheryl Cuisia, CEO and Co-Founder, The Engagement Appeal
- Investor Insights: Everything You Need To Know About Sure Valley Ventures
- Meet Lenitha Bishop, Chief Operating Officer At The DPO Centre.
- Interview With Olly Craughan, Head of Sustainability at DPD
How has the company evolved during the pandemic?
During the pandemic as the world turned to the internet, we saw more organisations and businesses pay increased attention to their cybersecurity practices and we’ve onboarded clients from all around the world. Currently, our clients are mostly from the US and UK, but we’re also servicing the Middle East and Australia.
As a result, we’ve been busier than ever and our team has grown, bringing in 25 new members of staff. Many employers will know it’s very tough to hire talent currently and we’ve recognised that IriusRisk, like most scale-ups, can’t pay as much as big tech firms, so we spoke to our tech team to hear what they wanted. The conversation brought about an important restructuring with the creation of a four-day week for the developer team, a policy so popular we received ten CVs just in the 48 hours of announcing it – and have received many more wonderful resumes since.
What can we hope to see from IriusRisk in the future?
We want our threat modeling platform to be the resource hub for developers worldwide. Threat modeling is relatively new now in terms of widespread adoption but it will no doubt be mainstream in a couple of years as the benefits of shifting security left in the product development lifecycle becomes more apparent. As we further enhance our product, we want to be more focused on developers and ensure what we do is as easy to integrate in the development process as possible.
We have started to embed regulatory and industry standards into our platform, so it is becoming a comprehensive one-stop shop that developers can integrate into their development process, without overthinking that what they are doing abides by existing regulation and standards.
IriusRisk is still growing and there are no signs of that slowing. We’re opening offices in Australia and Germany in the next few months and our next target region is APAC, where there is great demand for a solution like ours.