For most founders, cybersecurity feels like something to worry about “later.” But what if ignoring it now could kill your business before it even gets off the ground?
In this episode of Pick My Brain, Cole Cornford, founder of Galah Cyber, joins Alan Jones to unpack the real security risks early-stage startups face, and why they’re not always the ones you expect. Forget hoodie-wearing hackers: the bigger risks might be your Instagram account, your payments funnel, or the invoices sitting in your inbox.
Alan and Cole explore how to think about attack surfaces without jargon, when frameworks like ISO and SOC 2 actually matter, and why introducing just the right amount of friction can save you from catastrophic mistakes. They also talk branding, talent, and how Galah’s bright pink approachability helps win the right kind of customers.
If you’re building a B2B SaaS startup or scaling towards enterprise clients, this episode will help you avoid costly security missteps and focus on the protections that really matter.
🙋🏻♂️ Cole Cornford: https://www.linkedin.com/in/colecornford/
🛡️ Galah Cyber: https://www.galahcyber.com.au/
🔒 Secured Podcast: https://www.galahcyber.com.au/podcasts/
Transcript Synced · click any line to jump ▾
Alan Jones: Founders scale faster on Deel. Set up payroll for any country in minutes. Hire anyone anywhere. Get visas handled fast and get back to building. Visit deel.com/dayone. That's d-e-e-l.com/dayone.
Cole Cornford: Let's say we're a B2B SaaS company, right? So everybody's paying us a per-seat license per month to use our service. What are some of the likely parts of that attacks surface that, that we might need to keep an eye on?
Speaker C: If you're a competitor, one of the things that they might want to do is steal IP from you. Another one might be to prevent you from being able to do business. And so I'd be looking at what is the funnel that you use to get people to actually buy your product. And so many B2B SaaS businesses that I know don't spend any time thinking about how do I protect my Instagram, my YouTube channels, my podcasts, like my marketing funnel, that is the way that I get people to even like buy services from me, know that my product exists.
Cole Cornford: Welcome to Pick My Brain, the podcast where we help startup founders improve their pitches to better connect with customers, co-founders, and investors. My name's Allan Jones, and I'm an ex-startup founder myself, but now I'm an angel investor with decades of experience helping new businesses find their footing and achieve their goals. But first, I'd like to acknowledge that this podcast is being recorded on Gadigal land, land that was never ceded. I pay my respects to their innovators and leaders past and present. On Pick My Brain, you'll hear the real story straight from founders as they pitch their startups, tackle the challenges we all face, and turn their ideas into a successful business. Each episode, we'll see if we can help these founders take their startups another step forward with advice, ideas, and maybe a little constructive criticism. Thanks for joining me.
Speaker D: Let's get started.
Speaker E: You're listening to a Day One FM show.
Speaker D: As a startup founder, you're juggling multiple priorities from the expected, like finding product market fit, to the unexpected, like customer requests for SOC 2 or ISO 27001 certification. But achieving compliance is time-consuming, and time spent on that is time away from the needs of your business. That's where Vanta comes in. Vanta is the all-in-one solution for startups to become compliant quickly and build a security foundation with ease. With a combination of automation and extensive partner network and a security marketplace, Vanta provides the necessary tools and expertise for startups to achieve compliance seamlessly, no matter how urgent your needs are and at every phase of growth. Over 10,000 leading companies, including Cipherstash, Handle, and Indetted, trust Vanta to automate compliance so they can focus on growing their business. Startup customers like you get $1,000 off Vanta at dayone.fm/vanta. Vanta, V-A-N-T-A, at dayone.fm/vanta/brain.
Cole Cornford: Today we're joined by Cole Cornford, who is the founder of cybersecurity consultancy Galar Cyber. Thanks for joining the show, Cole. How are you going?
Speaker C: Oh, fantastic, mate. I'm really happy to be here. It's awesome to come on to Pick My Brain. As you know, I run a podcast myself, so it's exciting to be able to go on someone else's, not as the host this time.
Cole Cornford: So look, I've asked you on the show today to talk about a topic which has been on my mind quite a bit of late. And the reason is that when I was a startup founder centuries ago in the dawn of time when dinosaurs roamed the earth, we existed in a much more simple digital environment where technologies were much simpler and there were still good actors and bad actors. But generally speaking, those bad actors were a little simpler to deal with. And what's happened over the decades is that the field of cybersecurity has gotten quite a bit more complex and a little bit intimidating to early-stage founders who are looking at everything they need to do to get a business up and running. And one of those things they understand at some stage will be cybersecurity, but they're not quite sure about when to start thinking about it. And sometimes when they look at some of the information that's available to them online, it goes really deep on the jargon and the acronyms and the specialist knowledge. And I think that makes a lot of our listeners decide, "Nah, that looks scary and expensive and complicated." Yeah. I'm going to put that off until later, right? And my concern and the concern for all of our listeners should be, you're correct to prioritize everything you need to grow your business, but one of the things you need to be careful about deprioritizing for too long is your stance on cybersecurity and your plans to make sure that your customer data is secure. I think that's probably something you agree with, right? But before we begin, let's talk about, let's go through our first two standard questions that we ask every guest on the show. And the first one of those is when we, when you were a kid, what did you want to be when you grew up?
Speaker C: I really wanted to be a video game developer and that's because I grew up playing games like Banjo-Kazooie and like Conker's Bad Fur Day on Super Nintendo, Donkey Kong Country and progressing into Final Fantasies and Team Fortress 2s. And so I was always really interested in playing computer games and thinking to myself, man, it would be great to design this and like be on the other side, make something that people would love and really enjoy. And then the reality of going to university and realizing that, A, only the smartest people who are really good at 3D programming can actually probably get into that industry. And two, I'd have to move to America. And so I, there wasn't really much of a gaming industry locally. And so I, like as a child and even all the way through high school, like my, my dreams kind of shattered as soon as I got into university. But I still have it in the back of my mind that what I could at some point in the future, maybe if Gala takes off really well. Get into sponsoring some gaming companies, right?
Cole Cornford: So— Cool, cool. So that's still a long-term aspiration.
Speaker C: I still like the idea of it, but I take a lot of pride in doing software security at the moment, so.
Cole Cornford: Cool. Which of the esports would you most like to be a sponsor of?
Speaker C: Oh, well, look, I played a lot of Team Fortress 2. I was a medic player in the game. I used to play Sixers for AusFortress. And so, and at the moment, I still, like, I've actually sponsored a team to go to America to compete in the, um, in the Denver LAN, which is the TF2 International competitions around nowadays. So, which I, I know it doesn't seem like much, but being able to give a bunch of teenagers an opportunity to travel to America to play video games is something that I was never afforded an opportunity to. So, um, they've got a Galar logo on their shirts, and I'm happy with that.
Cole Cornford: That's awesome. So, um, there's also, uh, several Galars in the, in the background of your video, uh, for those people listening. To the podcast rather than watching. There's a framed Galar in the background and there's a number of toy Galars. Cole, can you just step us briefly through why the Galar is the mascot of your work?
Speaker C: Yeah, so most of the cybersecurity companies, they aim to go for like the typical, the stereotypical brand, which is like either blue and black swords and shields for safety, or it's like scary animals that are black and green, black and red snakes and hawks and ravens and, you know, things that show that you're really intense, right? Yeah. Rawr. Yeah. I said, what is an animal that is incredibly unintimidating and is like, you know, the opposite of these color schemes? And the good news is that I was going for a drive and just saw all these galahs sitting on the side of the road. I just didn't think that, like, they're not an intimidating animal. People actually think they're a bit stupid and like, they just ignore them. So I was like, all right, done. We'll pick that because it's not a threatening thing. I want cybersecurity to be approachable, not threatening. And two, the color scheme, bright pink. It's like so different from everything else in cybersecurity that I knew would stand out.. And early on, I had so many people pushing back against me saying that they can't take my company seriously because of the color scheme. But now people say it's one of the most recognizable companies in Australia. So there we go.
Cole Cornford: Very cool. So like at Galar, standing out in a sea of competitors is a smart strategy from a brand perspective.
Speaker C: Yeah. Yeah, absolutely. And it's fun because like, it's also really good for talent acquisition because like a lot of people think my company's softer and more like, you know, kind and friendly. And it's good for like people who want to work with me because they think about that is one of the values that I bring into these kind of relationships with customers is that we make stuff approachable and simple and that they're not afraid of Golas. But yeah, like we do lose business to the Sword and Shield spiky animal kind of ones every now and then where people just say, oh, those folk are all ex-military hacker people. So they're the best, but that's okay. segment and choose your right customers, you know? I know there's a lot more people who find cybersecurity intimidating than there are folk that need like nation-state adversary hackers style types, right?
Cole Cornford: Cool, cool. So I first invested in a cybersecurity company, I think back in 2013, 2014, that was probably UpGuard. And I've invested in a few since then, but I still find cybersecurity one of the densest, most specialist areas of technology. Do you find the same? You know, What proportion of businesses that approach you, approach you proactively versus businesses approaching you because something terrible has happened and they need to remediate it?
Speaker C: So there's 3 buyer journeys. There's the people who've been burned before and they know that they need to do something about it proactively. There's the people who are currently in the process of being in a fire and it's not a good time. And then there's the people who say, I need to do this because it's necessary for me to participate in the market. So the compliance-oriented ones and all 3 of them, we're happy to interact with and help on their journeys. But my favorite ones are definitely the proactive people because they recognize that investing in a good security program early can help make— save some headaches a little bit later on. So the reactive ones, it's all about keeping them calm and making sure they understand how they can get back to baseline before we worry about iterating on top of that. And the compliance ones want to do the bare minimum to just pass the audit to enter a new market, which was fine. We're happy to service those customers because there's a big, big need to hit the baseline, but we want to also make sure that people work above and beyond it. So it's, yeah, we find that those are the 3 main buyer journeys.
Speaker E: Adam here from Day One. Just a quick message from one of our sponsors. Standard Ledger is your trusted partner for end-to-end financial support. They provide core accounting services plus expert financial guidance when when you're ready to scale. Whether you need help with bookkeeping, payroll, R&D, or even fractional CFO services, their team supports founders across Australia to manage finances, raise capital, and grow their businesses. Visit dayone.fm/standard today to book your free chat.
Cole Cornford: Cool, great, thank you. One specialist bit of jargon that comes up in cybersecurity all the time that I find founders find confusing is The idea of an attack surface. Is there a way for a layperson to understand what an attack surface is for an organization?
Speaker C: Yeah, it's just the amount of things that you have really, right? So those things, and that's it, it's things. So it could be the amount of servers you have, the amount of accounts you have, the amount of websites you have, the amount of people you have. So it's just the quantity of objects that exist in your business and—
Cole Cornford: Hey, let's not call the people objects, but I understand what you mean. Let's call them resources, right?
Speaker C: There we go. But the larger your attack surface is, the more types of like opportunities that a threat actor has and the more, the bigger they can—
Cole Cornford: Sorry, pull you up there. Jargon alert. Threat actor. What's a threat actor?
Speaker C: Yep. So a threat actor could be causing some kind of adversarial damage to your organization. And it may be someone who is horrendously incompetent internally and fat-fingered a password reset. It could be someone who's from Russia or China, Iran, who wants to like just steal information from you to build their own IP. And it could be someone trying to steal money from you to just fund, fund their next jet ski on the Gold Coast, right? So the idea is that they're going to cause some level of damage to your business and you need to think about what that's going to be and why they want to do it and how to protect against it. But when we go back to attack surface, all we're trying to think about is, well, let's just give them less opportunities to hack us. Right? So I'm not saying don't hire people, don't use services. Just be mindful that when you start broadening the number of technologies in use or increasing the amount of headcount in your business or working with more suppliers, that creates more risks and more opportunities. And this is why cybersecurity starts to become a bigger challenge when you become a larger business, because it's inevitable when you go from, say, 20 to 40 to 100 headcount, that you're going to have to start relying on third-party suppliers. You're going to have to use, like, all of these different bespoke systems that need to connect together. And that complexity is often where hackers find the gaps to break in.
Cole Cornford: Cool. So let's say we're a team of 5 people. We're all working out of coworking space and from home and remotely. We're all using one of the cloud providers for our email services and website hosting and app hosting. And let's say we're already global from day one. So we've got some customers in other markets. People who are, let's say we're a B2B SaaS company, right? So everybody's paying us a per-seat license per month to use our service. What are some of the likely parts of that attack surface that we might need to keep an eye on?
Speaker C: So a lot of cyber people go straight to technical things. I'm going to take a step back and think about as a business, what are the areas that people are going to try to focus on either to disrupt you or to cause, like to achieve their motivations and their goals, right? If you're a competitor, one of the things that they might want to do is steal IP from you. Another one might be to prevent you from being able to do business. And so I'd be looking at what is the funnel that you use to get people to actually buy your product. And so many B2B SaaS businesses that I know don't spend any time thinking about how do I protect my Instagram, my YouTube channels, my podcasts, like my marketing funnel that is the way that I get people to even like buy services from me, know that my product exists. Because if you can't get customers, you can't make money. And that's more of an existential risk than getting hacked and someone stealing your database, right? So I'd be looking at that. The other one is your payments channels. How do you take money in and how do you send money out? Because a lot of the time we're not always going to be using credit cards or automated direct debit relationships. We're going to have to be paying invoices to suppliers. We're going to have to be running payroll. We're going to have to, you know, like take payments in different forms, especially as a B2B service, you know, you've got BPAY, direct debits, like Stripe or like, you know, all of these Braintree and all of them, they handle it to a degree, but they don't do everything. And so introducing a level of friction early on that slows your business down is worthwhile because then you're less likely to make a mistake. So if above a certain threshold you say, okay, now that's, that's starting to make me feel uncomfortable paying like a $5,000 invoice, then you go and call that person up. And make sure that the account details are correct. That's, those are the two most common things I see B2B founders not do correctly, because they'll focus on the traditional cyber advice, which is use multi-factor authentication, use strong passwords, patch your devices, but then they get compromised because they didn't protect their marketing channels or they didn't protect their payments platform.
Cole Cornford: Mm-hmm, mm-hmm, right, right, right, yeah. Yeah, the password for my company Instagram is password123. Should I change it to password1234?
Speaker C: It'll be more secure, of course, do that.
Cole Cornford: Yeah, yeah, yeah. You use an interesting phrase there, to introduce a little bit of friction above a certain comfort level. And I think, you know, sometimes we are prepared to commit to getting someone like Glaren to do a one-off audit of how things are now. But of course, in the early stages of a startup, everything's probably changing every couple of weeks. Weeks, maybe a couple of months, we might be involving new tools, we might be backing up to a different provider. So I guess it's necessary to also have like a process that comes back and reviews, checks to see whether everything is still as it was before when we last reviewed it.
Speaker C: Yes, you, but also at the same time, there's an opportunity cost. So while it's important to get some of the baseline correct early on, like protecting your marketing, protecting your general IP and protecting how you handle money, you also need to make sure that you are not spending money on things that just aren't relevant for the growth of your business that early on. So when I see people who like, and I've, I've met a lot of like CTOs and technical founders who have worked in a larger business and then started out wanting to do internationalization and accessibility and security and all of these other non-functionals immediately. And I'm asking them, that's an opportunity cost. You, you could be spending out hiring your first SDR, or you could be using that on going out to conferences and getting your, your business to grow. So there is a lot that you can do that costs very little. So I would start with that. The ACSC, like Australian Cyber Security Agency, I can't remember what the last C stands for.
Speaker E: Center.
Speaker C: Center. That's it. They like have a small business guide. If you just read through that, it's going to save you a lot of money for talking to someone like myself. But when you get to the stage where you've hit product market fit and then suddenly you're hitting these barriers and these scale challenges, then it's worthwhile to get an independent audit happening.
Cole Cornford: Correct. You know, so if I'm a founder who has no prior experience in cybersecurity, there are a number of different people I can turn to, to seek advice. But those specialists in cybersecurity, is there some sort of regulatory framework or certification framework that I can check to see that the advice they're giving me is more likely to be correct?
Speaker C: That's an interesting one. So I will say that there is a couple of them out there. Like there's a government one called Essential 8. But the Essential 8 is good for, it's designed for Windows workforce environments. So I think like local councils, hospitals, it's not good for startups because most startup founders I know get a MacBook Pro and they use Google Workspace and they use Slack and the Essential 8 doesn't apply in that kind of ecosystem. And the, what you need to do to work towards something like SOC 2 or ISO is a lot of work. So, and early on, that's an opportunity cost from doing the you know, types of activities that are useful for you guys. Instead, I think doing something as simple as asking yourself a couple of questions like, what can go wrong and what am I going to do about it? And did I do a good job? Is a great place to start. Involving someone like myself just to bounce some ideas off of and getting, or going to those security meetups and just talking to a couple of people there, that could be all you really need to do to get going. So you don't want to overinvest in it early on.
Cole Cornford: Okay. Jargon alert there. We had 2 bits of jargon pop up. One was SOC 2 and the other one was ISO. Can we unpack that a little for our listeners?
Speaker C: Yep. So SOC 2 is a compliance framework. There's 2 types of them, Type 1 and Type 2. It's what a lot of them— if you're looking to export into mostly America, it's kind of the expectation that a SaaS business has achieved a SOC 2, what do you call, certification. Now, ISO is a different type of certification. It's more generally used for European and Australian businesses. So if you're selling domestically or over in Europe, ISO is generally well accepted. The difference between the two is that ISO is risk-based. And so you say, here's my scope, here are the risks that I have for my business, and here's how I'm going to manage those. And management can be something that's like, I, I'm going to accept that risk. I'm going to give it to somebody else to manage. I'm going to control for it. But as long as you are managing these risks effectively, then you should be able to work towards getting ISO. SOC 2 is you have a bunch of technical controls and they, they expect them all to be technically implemented. So they will go down every single control and make sure you've been doing it. But yeah, if you are selling into Australia, I'd look at going to go for ISO. But if you're looking at the States as your primary market, you'll need to get SOC 2 to start selling heavily in that area.
Speaker E: So.
Cole Cornford: Right, right. And generally speaking, it's, it's larger organizations, enterprise customers who will stop you at some point in your pitch and say, you know, are you compliant? Can you show me your SOC 2 or your ISO?
Speaker C: Yeah, so if you're a B2B company, then security becomes a differentiator for you guys and a way to participate in markets. But if you're B2C, it's quite unlikely that security is going to help as opposed to just focusing on customer acquisition. So be considerate of who you're selling to before you invest in a large security program.
Cole Cornford: Is there a founder-level sort of meetup? Is there a, founder-level podcast on the basics of cybersecurity, other than this episode of Pick My Brain, that you might recommend to listeners?
Speaker C: So one of the ones I like is Sydney Technology Leaders, and they usually do security every 6 months. And the reason I like Sydney Tech Leaders is it's people who are like reasonably technical or in the startup ecosystem, whether it's scale-up businesses or have startups themselves. And there's, if you go to the ones that are aimed at security, which again, I think they're every 6 months or so, that's usually common enough. I find that either you get an audience of like tech professionals who want to learn about security or tech professionals who've done it and they're really good to talk to. I would be very hesitant about going to a security meetup because you are going to get people who are focused on the, the delivery of a security service, not necessarily on choosing what security activities to be doing. CTOs, just broader technology meetups, they're probably the best place to go. And I know that even like the business chamber ones, but those kind of like business chamber accelerator meetups are probably going to tell you do MFA, patch your software, use the right SaaS services, reduce your attack surface. I think that that advice is like teaching people to suck eggs, probably.
Cole Cornford: Yep. One more acronym there, MFA, that stands for multi-factor authentication, doesn't it? That means, you know, I go to log in and the platform sends me a text message and I have to pop that 6 or 9-digit number into a, into a form before I can continue.
Speaker C: Yeah. And there's a lot of nuance where you'll have some cyber people tell you that text message-based MFA is not secure, but ultimately it's better than nothing. You should use it. It gets rid of most types of adversarial threats against logging into your account.
Cole Cornford: Cool, cool. Yeah, yep. Face ID, touch, all those things, they're all great too. Cole, thank you very much for coming on the show today and helping us unpack some of the basic foundations that early-stage startup founders and teams might want to keep in mind when they're thinking about making sure that their attack surface is hardened, I believe.
Speaker C: Correct.
Cole Cornford: That's the way to go. And if you want to find out more about what Cole Cornford is doing and the services he has available, you can find them at galahcyber.com.au. Galahcyber. You can't miss them. They're all pink and white.
Speaker C: Thanks for having me on.
Cole Cornford: Thanks for joining me for this and every episode of Pick My Brains, the advice podcast for every startup founder.
Speaker D: Thanks for listening.
Cole Cornford: If you enjoyed this episode, never mind the don't forget to like and subscribe button, blah, blah, blah. Instead, take a moment to share some of the advice you've heard today. Think about somebody that you might be able to share that with, that you might be able to help, and maybe they'll like and subscribe. I really don't mind. Now, I am not a lawyer, an accountant, or clearly a cybersecurity researcher, and what you've heard today is not intended as financial, legal, or cybersecurity advice, and you should always seek that from a qualified professional such as Cole Cornford before making big decisions. I'm not a superhero either, so don't forget that sometimes, actually pretty regularly, I'm fallible. Very occasionally I'm wrong. So please let me know when you think that might be the case on our socials or at my email address for the show, which is pickmybrain@startupfoundercoach.com. The Pick My Brain podcast is produced, edited, and being directly to your ears by the hardworking and understaffed team team at Day One, the podcast network for founders, operators, and investors. Find out more about us at dayone.fm. That's dayone.fm.
Speaker D: Thanks for listening.
