Spotlight on the CyRise teams: Retrospect Labs.
Integrity is everything. Especially in the business of cyber. You bring together two stoic and genuinely likeable incident responders, and you know you’re in safe and capable hands. Jason Pang and Ryan Janosevic spent years representing the Australian Government, responding to some of our nation’s most sophisticated and serious cyber incidents, helping organisations recover from crippling attacks and data breaches. Today they’re taking their sharpened skills and honed in-person approach to building a cyber security exercise platform, which makes cyber exercises repeatable across geographies and at scale — so organisations can train for an incident, before it happens. The ultimate objective? Helping avoid that devastating, bleeding mess that too often brings an organisation, its people and its customers, to its knees.
Building on a mission
Jason always had a desire to build things. “I did iOS development back in 2008. I did side work building applications for my company, for other companies — I even built games. As my career progressed, and I got into deeper subject matter at the ASD, it was clear how much I was mission orientated. Before, building things was fun, but it was missing a mission. I feel like I’ve now got the right balance.”
With a product idea, Jason was keen for a cofounder. Having worked with Ryan for years in the public service and knowing the strength in their complementary skill sets, he was adamant he was the right cofounder for him. “He’d come to Melbourne and entice me”, says Ryan. “He’d run a thought past me and the more chats we had, the more interesting it became. Jason demonstrated you could make the jump and survive.”
“Mission aligns us both, and it’s something the ASD drills into you.” Ryan explains. “You get to do unique incident response in Australia — there are awesome stories we can’t tell anyone about, but were so amazing to be part of, and we’ve experienced what a difference you can make.”
The importance of a supportive co-founder dynamic
“The last thing I wanted for a cofounder was someone like me.” begins Jason. “Different skill sets are important, while still being mission and value aligned. We’re different in how we approach things. We’re different in our demeanour. He complements me really well.”
Ryan relishes the camaraderie. “The best success is experienced as part of a team. It’s incredible how much more effective you can be when you partner with someone, and your combined skills are a strong match.” He cheekily adds, “I’ve always said that for my entire career I’ve been able to hitch my wagon to a star, and Jason’s definitely a star.”
There’s a playfulness to their approach. Yes, their background is serious and legitimate, but now they add an element of gamification to building a product, and it brings lightness. As personalities, they’re who you want to prepare you for a crisis. They don’t inflame a situation; they treat it with care. They’re calm, confident, and likeable.
Doing it in a meaningful way
We’ll all be victims of a cyber incident. For an organisation it has a huge impact on their reputation, their finances, and their people. “A big incident can stay with people for a long time. We can help reframe their mindset. We provide the tools, knowledge, ability, confidence, that when an incident does happen, they’ll know what to do and the impact will be minimal.” says Jason.
“It’s not enough to say that we bought this host-based agent, or we’ve got this SIEM in place.” explains Ryan. “Attackers are more motivated than we are as defenders. They constantly up the ante and we must do the same. There’s a need to marry the tools and the people competencies across an entire organisation to work efficiently. That’s the part we focus on.”
Building incident readiness across an organisation is often done in person. This is a system that was needing revival to better accommodate how teams operate across office locations and geographies. Colour this with a global pandemic, and you’ll see there’s a real, and now urgent, need for a solution that supports a physically distanced workforce.
“We need tools and tech that supports modern businesses.” says Jason.”The current solutions are archaic, but need to be meaningful and realistic. When we say “meaningful”, we mean realistic exercises that can support how they run their business.”
Repeatable and actionable
Ryan speaks to the transformation of their skills into a product, “It’s exciting to see something build from nothing. You’re contributing. Something is being built right before your eyes. You learn how people might use it. It’s energising. This helps them to consider and to think about things they’ve not considered before. The potential for organisations to be empowered to respond to an incident effectively, rather than victimised, is incredible.”
How is this different to what they’re doing now? It’s the frequency. You continue to exercise a muscle, and you build strength. That’s the way to get real change. You then get to performance driven metrics, rather than subjective ones. This is the secret sauce. And it’s not something that a suite of tools or a consultant can provide.
“If you’re doing an exercise once every 12 months, you not only lose the capabilities within the retained team, but because of churn you’re essentially starting from scratch with anyone who is a new starter in that time.” says Jason.
“It’s important they have good leadership inside and outside of cyber.” Ryan further explains. “Exercises are a great way to help leaders see where we need to build, to do more and do better. How are our equipment and controls working for us? How well are our people and processes doing? Traditionally this is done through audits and compliance checks, but this is not good enough or fast enough. Offensive people get good feedback immediately… Can you hack this? Yes. That’s instant feedback. People don’t know they’re compromised until five years down the track. Feedback is important to empower leaders and teams.”
Strong in domain knowledge but new to entrepreneurship, how do they navigate it? “It’s a privilege to have had our experience at the ACSC and ASD. Now our growth area is in running a company. How do you sell yourself when you’ve always been needed?” Ryan asks.
And it’s not an uncommon mindset for cyber startup founders. The sell is hard, but in an industry ruled by compliance, integrity is everything. “We continue to stay clear in our vision and being true to ourselves. We build on it, reflect on it, and either pivot or stay the course.” explains Jason. “Slowly we’re building more confidence too. Do we belong? Are we able to succeed in it? We do have that place, but just be aware that we have to work for it, support each other, and communicate well. And I think we’re doing that. It’s a different world: from an intelligence agency to now being public facing. It’s a just adjustment, and we need to build ourselves up in order to act in the new world. “
How’s it going in the current environment? Ryan unpacks it. “Experiencing a pandemic, it’s really about having a good mindset, being decisive but also persistent. We won’t stop until we get it right. We’ll keep pushing forward. We’re careful not to get decision paralysis. You can make decisions that are right for you at the time — some will be right, some will be wrong. Ultimately though, we will learn and continue to be positive, knowing we will emerge as better founders, better entrepreneurs, and a better company.”