Infotrust bridges cyber security with business strategy 

Having someone who can translate cyber security into real business values is a strategic move on InfoTrust’s part, as it looks to guide customers through an increasingly complex landscape of compliance, governance and risk. 

That was one of the reasons the managed security service provider (MSSP) recently added former James Cook University chief information security officer (CISO) Jan Zeilinga to its executive team in early July. 

In his role as Infotrust CISO, Zeilinga will oversee the strategic direction for several of the MSSP’s technical services divisions, as well as work closely with customers. 

In an interview with ARN, Infotrust CEO Simon McKay explained that bringing in someone like Zeilinga, who has extensive industry experience and has worked on many boards both as a consultant and in a senior role, adds tremendous value. 

“Jan’s role helps us validate and support customers’ cyber security strategies or even help build those strategies from scratch if they don’t have one,” he said. 

However, today’s cyber security landscape requires more than just strategy to help customers, noted McKay. There also needs to be capability to implement that strategy. 

“You can write and get a strategy approved but if you can’t execute it, the organisation won’t move forward,” he said. “That’s why we focus on creating strategies and backing them with an augmented team at InfoTrust. 

“It’s less about rushing to show immediate action and more about committing to the journey… demonstrating improved cyber security maturity progressively over the long term.” 

While Infotrust has about 900 customers across the country of all shapes and sizes, the MSSP’s SMB and mid-market clients often don’t have a CISO and rely on a partner like InfoTrust to help. 

“[We] make sure they’ve got the capability, or the tools, or the strategy, or the people to implement what they need,” he said. “Jan and his team work broadly across many customers to help share their experience. 

“Then they make sure those organisations are as protected as the enterprises.” 

Zeilinga added that while every industry is different, there are four broad trends he is seeing across the board: compliance, resilience, IT complexity and privacy and data protection, which are driven by constant threats and regulatory pressure. 

“The government [and] industries want to know that we’re doing the right things in cyber security,” he said. “All I see in compliance is the paperwork that proves that you are trying to be secure … it doesn’t guarantee you are secure. 

“That’s why government, risk and compliance teams are critical and we’ve got great accountability around that.” 

The second is resilience, which is emphasised in the Australian Cyber Security Strategy, explained Zeilinga. The Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 230, which is about operational risk management, focuses on IT service resilience for financial institutions in Australia. 

“Every day someone tries to break in and it becomes a matter of how quickly you can detect, contain and recover,” he said. “On the other side, when things do go bad, what does that mean from an organisation resilience perspective?”

There are some cases when not every customer can recover, to which the CISO said they will need help on their security journey.

All this is driven by IT complexity and with complexity comes a higher need for management because it takes time to prioritise where to focus efforts, Zeilinga said. 

“That’s why this continuous threat and exposure management is important, because not all systems are equal,” he said. 

Adding to that are Zeilinga’s favourite topics: privacy and data protection. 

“Data is the lifeblood of the digital ecosystem, and it spreads across third-party sites and unmanaged applications,” he said. “You need to get a handle on that and bring it into thinking around risk appetite.” 

This is why when it comes to cyber security, it’s important to start with strategy and the governance piece, said McKay. 

“If you start with that strategy piece first, it’s not a prohibitor to use tools [like AI],” he said. “It’s just making sure that even if there are risks, everyone understands the risk. 

“It’s not a case of, ‘Is this really risky?’; it’s about understanding that and having a plan and acknowledgement that we understand the risk and [then] it’s an acceptable risk.” 

This is why cyber security needs to be part of a broader business strategy conversation. Zeilinga noted that when he spoke to boards, he was always amazed at how much they understood cyber risk. 

“They seem to be a lot more informed nowadays and they really do consider performance versus risk, as well as the fact we exist here in cyber security just to find out that risk,” he said.

“As that filters down into the C-suite, the message starts to get a little diluted. By the time it’s reached the business, they don’t fully understand the risk side.” 

Mentoring MSPs 

When it comes to cyber security, Zeilinga noted that SMBs can move quicker than enterprises but are hampered by the belief that they can just buy a tool to protect everything. 

“They think they can just buy that magic lock that protects all their stuff,” he said. 

McKay believes they need a better understanding of the tools that significantly help and manage detection response. 

“The threat landscape continues to evolve. Bad actors get access to the same controls and products,” he said. 

That’s why it’s important for organisations of any size to turn on as many controls as possible. Even with all the controls in place, organisations still can’t say they won’t ever be breached — that’s why having a plan in place to respond is just as important. 

“We have to live in a world where you presume you’re going to be breached nowadays,” said McKay. “[It puts] businesses in a much stronger position to respond — and not just technically — but communicate with customers and the business internally.” 

One of the things that worries McKay is the ability for smaller businesses — that provide services to the large end of town — to understand compliance requirements being pushed down on those organisations. 

He noted that IT service providers shouldn’t “want customers spinning wheels or spending money in the wrong areas”. This won’t help “move the needle on aligning to these compliance requirements or improving their security maturity”. 

MSPs need to be transparent and open with customers and be clear about exactly what they’re getting for the money they’re paying. 

However, smaller MSPs are doing what they can and just trying to compete in a very competitive landscape where margins are thin, noted McKay. 

“Maybe some regulations are good, but you don’t want to tie them down in red tape,” he said. “You’ve got to enable them to run their businesses and it can’t be over-bureaucratic.” 

Another part of this could be partnering, McKay said. The world of technology and cyber security has become too complex. 

“You actually have to find good partners,” he said. “It doesn’t really make a difference to which end of town you’re in — you know, top or bottom — it’s all about partnering now. 

“Over the years, we’ve worked with those MSPs that know what they’re good at and they’ll bring us in to do a lot of security-focused work for their customers. 

“There are a lot of those MSPs that will recognise that, or want to grow into cyber, but would like the tutelage or mentoring to push into that space.” 

InfoTrust continues to mentor and work with other MSPs because “customers appreciate that”. 

“[Partners] can retain and grow their own team because they get good mentoring or augmentation from senior members in our business,” McKay said. 

Stressful time for CISOs

Both McKay and Zeilinga feel it is an ‘incredibly stressful time’ for those in cyber security and being able to manage both situations with empathy and calmness was important. 

That was one of the reasons why Zeilinga chose to move from the customer landscape into an IT service provider. 

“I wasn’t seeing my family enough,” he said. “I also quite enjoyed being around people. I had a great discussion with Simon and he described the Goldilocks position that InfoTrust was in — that was quite exciting.” 

In regard to the industry, the CISO role is a very stressful position, with a lot of it out of their control and reliant on technical service providers or the business to make decisions. 

“When things go wrong, you’re out to account,” Zeilinga said. “There’s a very close-knit group of CISOs in Sydney who meet regularly and check in with each other. 

“So, when something does go wrong with a friend, you’re not calling him up asking the technical details — your conversation is normally about how [they’re] coping.” 

Zeilinga believes one reason CISOs are leaving the industry is that some focus too much on technical solutions. 

“You really have to focus on the business outcomes, and the technical stuff will come,” he said. “That’s not your role as CISO – your role is to win the hearts and minds of the executive team, leadership, and support technology delivery teams.” 

Joining Infotrust

This is why an organisation like Infotrust suits Zeilinga, where he gets to be around people who understand “depth and skill.” 

“It was very clear to me that I wanted to be part of it,” he said. “Then I had to leave my job, which I was very happy with and I loved my team up there. 

However, this was exactly where he felt he belonged because of the incredible depth in skill of InfoTrust employees, as well as “a lot of passion, and a bit of excitement”.

Zeilinga joins a number of hires Infotrust made in December 2024, including John Procopis as general manager of sales for Queensland, Victoria, South Australia and the Northern Territory, and Rich Harris as general manager of sales for NSW, Western Australia and the ACT. 

McKay told ARN Infotrust was made up of three organisations through the acquisition by Spirit last year. 

“I was one of the co-founders of Infotrust. I came on board to join the board as one of the investors and then as the CEO, to implement the cyber strategy,” he said. “Intalock has been part of Spirit for about four years and we merged those two businesses. 

“We acquired a cyber organisation in Melbourne called Forensic IT late last year and then we have Spirit Managed Services, which is a traditional MSP.” 

McKay said it was building out more capability to deliver managed network security and managed firewalls, which it has been doing for years. 

The organisation has about 250 people now. As for acquisitions in the future, McKay said: “Watch this space.”