My AI Startup Helps Businesses Stay Compliant

Tristan Roth

•

Published: February 25th, 2024

save

About
Business

Tristan Roth

Founder, ISMS Policy Generator

$500

revenue/mo

Founders

Employees

ISMS Policy Gener...

ismspolicygenerator.com

from Paris, France

started October 2023

$500

revenue/mo

Founders

Employees

Discover what tools recommends to grow your business!

Discover what books recommends to grow your business!

Want more updates on ISMS Policy Generator? Check out these stories:

Hi. I’m Tristan, founder of BetterISMS, an information security compliance company. You might ask yourself what the hell is that, and if that’s the case, lucky you. I help SaaS companies implement and document their cybersecurity measures. It has been my profession for more than five years and now I want to come up with my products as I see many gaps to be filled, especially in the AI era.

I have two main products. One is a ChatGPT Security and Privacy Training. I’ve taught more than 1200 people how to use AI tools securely. This is a big concern in startups or corporations, especially the ones handling sensitive data.

My second product launched at the end of 2023 is a micro-SaaS delivering a service I used to do manually as part of my work. ISMS Policy Generator generates the documents needed for startups to get the ISO 27001 certification, a big cybersecurity milestone I helped my employers achieve. In a nutshell, my clients are mostly CTOs, or security and compliance officers of startups and corporations.

The policy generator I built solved my own pain point, and I like to build products that way. It makes validation easier and you’ve less trouble understanding your customers.

For the micro-SaaS, December 2023 has been a great month as I could see paid customers coming, making the micro-SaaS costs profitable. I must admit January and February are more difficult months though. I significantly raised my prices (up to x4) to adapt to my customer target, and customer acquisition slowed down simultaneously.

But in B2B, the impacts of some decisions take longer to show up, and I understand there might be some cyclical effects playing (seems that many SaaS owners noticed a tough January), so I’ll practice active patience. Regarding the AI security awareness training, 250-300 new students join each month. It’s currently free so I’m currently not earning from it except Udemy Business royalties, but I’m creating a distribution for future AI security courses and will make money from it.

A sunny product building session

What's your backstory and how did you come up with the idea?

I’m a French 27-year-old guy, currently living in Spain. I created my first website when I was 10 years old. Later, I built non-profit organizations in the meat alternatives space and wrote content that reached millions of people on Quora. Building is in my DNA. And that’s why I’m building my company today.

My current mission can be summarized as follows: reconciliate information security management and AI. I’ve been interested in AI and its governance since 2018 when it became a topic in the effective altruism community. AI is progressing fast and if this has many implications, it certainly has security and privacy impacts. As a security professional, I believe the challenges we must tackle in the field of information security are so many, and we’re so understaffed, that AI assistance is needed. That’s why security and AI must work together.

I came up with the idea of generating security documentation early in 2023. I was leading the preparation of the ISO 27001 audit for my employer in the fintech industry. I had to write or update more than 80 documents. I’m courageous, but this is a very tough process.

At the time, ChatGPT started to become very popular, and I immediately perceived the benefit of getting some AI assistance in the writing process. The key issue was how to do this securely and in alignment with privacy requirements. This is how I decided to learn everything I could about securely using AI tools. As there was no course, I self-taught and built one.

As I was experimenting with generative AI, it became clear: I had to build a tool that would automate the writing process I manually went through, for my future needs but also for other companies. ISO 27001 is a standard, meaning the documentation needs are pretty much standard as well. Security policies, procedures, and some plans in case the company has an incident or a disaster. So, I rolled up my sleeves and started to work. Learned a popular no-code platform, and built the prototypes of my document generators.

The policy generator I built solved my own pain point, and I like to build products that way. It makes validation easier and you’ve less trouble understanding your customers. It turns out the problem of documenting your information security is a common one for startups.

Many solve it by buying ready Word documents, but it’s not tailored to their company so results are poor. Smaller startups sometimes use ChatGPT, but there’s a learning curve to do this well, the models are not necessarily up-to-date with the latest standard details, and people still have to figure out which document they should ask ChatGPT to write. My tool takes these problems off their mind. Users reply to the questions, and I make sure the methodology is right. That’s how I realized this idea had potential and started to work on it after my employment hours.

Take us through the process of building the first version of your product.

A policy generator is a form that captures the user’s inputs and sends this information along with instructions to an AI model that will write a document. This document is then exported as a Word format. I had to build more than 30 generators (each document has its generator), based on thinking about what’s the best content to be included in these policies. This meant figuring out what topics to cover in each document, questions to ask the users, what input fields, etc. Each generator keeps being improved based on testing, user feedback, and my continued experience with ISO 27001 compliance.

The first versions of the product were not generators. In the first weeks, I proposed the classical word templates. In the meantime, I was trying my best to learn how to make this generator thing work. Within a month of tinkering, I managed to have an early interface that would display a policy text once the user provided very basic information about the company. The result was very simple, still not tailored to the business, and you had to copy and paste the result into a document and take care of the template. Honestly, it was very ugly.

Progressively, I worked towards creating more complex generators that would capture more deeply user inputs and learned how to make sure the result would be a ready-to-share document. I also had to learn a lot of OpenAI models while working, which instructions would lead to the best possible outputs, how to cut my API calls into different chunks, how to make sure API calls would never have issues, etc. This was the hard part and required a lot of testing.

It took me several months to manage to a point where I have performant generators. Most of the progress occurred after the 2023 summer. During these first months, I didn’t make any sales. In retrospect, I’m happy because, at this stage, the generators were not good enough to make customers happy. I suddenly started to sell in the last quarter of 2023.

A more mature product, more documented, looking more professional, with early user testimonials. There are some kinds of products no company would pay for before using or seeing in action, and I think this one is. This is why I made a demo generator available, and it converted the curious into paid users.

Running this micro-SaaS is rather inexpensive. I’m currently at around $100/mo for what’s purely needed to make it work. It’s more the things around that cost. I’ve engaged a security monitoring company to protect my SaaS and detect and fix vulnerabilities, which is something you’ve to do when you sell an information security product. I also had to set up my business, buy insurance, and some tools to automate accounting or be fiscally compliant. And of course, the rest of the spending is marketing tools. Overall, my profitability threshold is rather low, especially compared to a startup. Having 2 paid clients per month is enough to be profitable.

A bit about how the early days looked like. Pretty much similar to current days.

Describe the process of launching the business.

I didn’t have one launch. I had several launches and I keep launching. My SaaS, given its name, finds its client through Google. People just type “policy generator” for cybersecurity and they find me. I’ve been focused on SEO from way one. I also do education on Linkedin, typically posting one generated policy and explaining why this policy is good from an information security perspective.

I now also turn some generators into standalone free tools and launch them on websites like ProductHunt for traffic and SEO. Let’s say that I started to become more serious about marketing and using my own product in November 2023, and saw a wave of customers coming in December.

My first website was really basic. See below the before and after. I progressively did what I was supposed to do: showing the product, letting prospects try it, communicating more clearly the value, showing testimonials, and avoiding using generic “get started” buttons.

The tough part for me was, and sometimes still is, admitting that doing these things is needed. You think you’re great because you build a product that has potential, but users won’t necessarily trust it. So, you’ve to do marketing the proper way and put ego aside.

Dan Kulkov’s posts have been very high-opening on that topic. I still consider that I do insufficient marketing and try to do every day a bit better. I would say selling to cybersecurity officers feels harder than selling to marketers, as promoting a product is not always well seen, even if it solves a problem they have.

One thing is that not all advice for solopreneurs is universal, and Twitter is a bubble… Now what’s trendy is shipping fast, but I can tell you this doesn’t look credible when your clients are security officers.

I financed my business using my main job’s money. I was employed as an information security management specialist and I still am, even if I reduced my working hours to make this work by running my micro-SaaS. I appreciate having both because, in my domain, there’s a real risk of building something that doesn’t answer a need if you don’t keep in touch with real companies' needs.

My costs repartition is roughly 25% running the SaaS, 25% IT other costs like security vendors, 25% admin tools fees, and 25% accessing help from experts when I’m stuck.

My biggest lesson is that there are cases where there’s no such thing as a big launch. At least for a SaaS where anything needs to be tested: the positioning, the messaging, the pricing, figuring out who’s the ideal customer profile, etc.

My initial customer profile was solopreneurs, which makes no sense in retrospect (except if they have a SaaS that handles sensitive info and reaches big B2B clients). So, this is why I’m glad I actually iterated and iterated maybe slowly and progressively, to manage to a point of reaching paid customers who told me they like what I’m doing.

Early version

Today’s version

Since launch, what has worked to attract and retain customers?

The best thing that led to a better product was dogfooding. It’s easy to be so absorbed in a building that you forget to be your first user. When I used my own SaaS to document my information security management system, things felt different.

I spotted inconsistencies in the generated documents, improved some generators, and offered new policies to some clients. Dogfooding is always rewarding. I’m happy to build tools that I need to use, and this is my guiding principle for the next products on the roadmap.

I’ve started with 2 ways to attract customers that differentiated my SaaS from other actors.

My service uses AI when the classical offer is Word document templates that are not tailored to the client’s company.
I entered the market with lower prices and a fatal weapon: no “book a demo”. Immediate signup instead.

Given my market, my traffic efforts are LinkedIn and SEO. On LinkedIn, I’ve tried a lot to “hack the algorithm” and go viral with some carousel posts. While some weeks I reached over 50k views, this is short-term attention but posting 20 times the same carousel in different groups can be considered spam and hurt reputation.

So I’ve decided to reduce such efforts and focus on sporadic adequate group postings (without links) and increased engagement with accounts in my field. Around 500 people/week see my profile including my CTA link. I try to reply to comments and repost thought leaders’ posts at least one hour a day.

It’s a bit hurtful to realize there’s no “hack”, but I’m glad I managed to admit this.

Guess when I was massively posting in groups

I don’t run ads because my prices are not high enough yet to make it profitable. I don’t do outbound calls or emailing because it’s not my thing and it looks spammy. I’m way more team content that converts. I’ve no religion on these topics but this is how I see things today.

I’ve given up Twitter as a means of selling, it’s now just a means of meeting like-minded builders and helping each other. I’ll now increasingly explore email sequences for people who tried the demo, and develop partnerships with like-minded people I find on LinkedIn.

I like the idea of light partnerships, when you just become friends and provide each other’s service when it’s relevant, i.e. one has a client that could benefit from the other’s service.

Existing customers usually have over 30 policies to generate, and they stay with me until they’re done generating the documents. I think that people should leave when they don’t need a service anymore. Until now, my platform didn’t allow the users to edit and manage the generated documents, it was just sending all the documents by email. It means a low LTV and I indeed saw some people leaving rapidly after they were done.

I’m aware of this, and I’m already working on increasing the recurrent value of my services by allowing regular policy reviews. Information security standards usually require updating policies regularly, and my platform will help my users select which doc they should review and let them do these reviews smoothly.

This, combined with other services like a trust center to display your security measures, will significantly increase the lifetime value of my platform.

Posting memes on Linkedin usually makes noise

How are you doing today and what does the future look like?

Today, I’m not satisfied with my situation. I reached profitability in December, but not in January. I know B2B takes longer, so I’m focusing on the fundamentals. Raising my prices was a good decision. Setting up emailing sequences for people trying the demo will also help me convert. Adding the one feature (policy management) that will turn my one-off product into a recurring product is also good. It just takes time.

I’m trying to be laser-focused on these fundamentals while continuing to build trust on LinkedIn and normalizing a secure use of AI tools. That aspect is important. Many aspects of shipping fast spirit apply less when your customers are security officers expecting a secure product from day one, especially if it involves AI.

It means implementing a security program and being solid on GDPR. This can make things slower and sometimes take time away from marketing, even if my trick is documenting these aspects on LinkedIn and using security as a selling argument.

I expect to raise the current customer LTV from $800 to around $4000, before raising my prices again. Until now, my best way to convert has been the free trial. Usually, users get immediate benefit from using the product, so they stay even after the 7 days. I didn’t consider freemium, because in B2B, it’s normal to pay when a solution solves your problem.

When someone trials, half of them remain a customer. Some used to leave after generating all their policies in one week, which I now made impossible by implementing a credit system and raising my prices to avoid this type of behavior. I still believe the best retention will come from having more recurrent features.

I work on this business 3 to 4 hours a day. I’m still employed at my company, reduced working hours, and usually do customer support during lunch break, and then will do product and marketing at the end of the afternoon and the evening. Prioritization is the #1 skill I try to master. Deciding what matters, identifying what’s a loss of time, thinking about how to architect the product in a way that will make me work 10x less to maintain it in some months, etc.

For example, if you do one change on a generator, you have to do it on the 40 other generators. So the earlier you make a change or the more transversal the change, the less it will cost in time later on. Building smart is more important, even if regular execution matters.

I plan to release future products, always connected to my domain, information security management, and ISO 27001. It involves a “trust center” generator, for startups to display their security measures so that they don’t have to answer security questionnaires of 150+ questions. I’m also preparing products that allow startups to receive a lot of these security questionnaires to handle them automatically. But this is not for now, as I prefer to focus on the profitability of this first SaaS. One thing is sure, each SaaS will be used to build the next one.

My goal is to definitely reach profitability, and then continue to work with great people to make Better ISMS’s products flourishing. I already collaborate with some freelancers who occasionally advise me or unstuck me when I’ve problems, but I would love to make these collaborations more often and come up with products that make way more accessible information security management to smaller startups that don’t have the means to pay for tools that cost 20k or 30k a year.

Through starting the business, have you learned anything particularly helpful or advantageous?

Learning many things, and I still think that most of my learning is in front of me. One thing is that not all advice for solopreneurs is universal and that Twitter is a bubble, for how much I love it. Now what’s trendy is shipping fast, but I can tell you this looks not credible when your clients are security officers. They certainly expect some speed from you, but care more about you building securely and protecting their data.

I still recognize the value of not spending too much time on the wrong things, but yes in some cases, especially information security products, there are other parameters to consider. So, client expectations are the primary source of what I’m building, and I’m trying to be less influenced by what I can read on X but just doesn’t apply to my case.

I still struggle with knowing when it’s the right time to consolidate my existing product/features or consider another product. For now, my guiding principle is a bit like in the game “Risk”, consolidating well my positions on products that are working, especially meeting all my customer's requests, and then maybe opening the room for another app. But making existing customers happy, for me, is the baseline.

Regarding the things that helped me, there’s good timing. Having spent 5 years writing information security documents and mastering this skill coincided with AI booming. I gained precious time by exploring possibilities straightaway. I believe competitors could catch up rapidly and would prefer not to underestimate this, but I still think good timing gave me a competitive advantage.

What platform/tools do you use for your business?

I don’t want to expand too much on this because actually, it’s not a good security practice to reveal what tools you’re using. I have to practice what I preach. My platform is built on bubble.io. All the other tools I use are pretty much standard in the SaaS industry.

What have been the most influential books, podcasts, or other resources?

I read a book called The Black Swan by Nassim Taleb in 2016, and this significantly impacted my vision of the world. It deals with the impact of the unforeseen, and how we humans deal with knowledge and uncertainty. I’ve read and re-read several times Taleb’s books, thanks to whom I decided to work in risk management and cybersecurity and try to do things that make sense, in a domain where bullshot is omnipresent.

Regarding launching my business, my influences were so many, but a special mention to a guy named Dan Koe, whose “one-person business series” triggered me into thinking I could start something on my own and not have to go the classical fundraising path. Some other figures inspire me, they’re mostly people I’ve been working with that have high standards, such as serving the general interest, being consistent in what you do, and having a “no bullshit” approach. I thank them for giving this example.

Advice for other entrepreneurs who want to get started or are just starting out?

Please, consider your industry and own context when reading solopreneur advice on Twitter. Some principles are fine to reuse, but won’t always apply to your context. What matters is this unique context and you should strive to understand it as much as you can, which I do by connecting with cyber folks on Linkedin, reading what they complain about, what’s their relationship with AI and marketing, to have relevant messaging.

Above all, something that took a long to implement but has been super helpful was implementing a live chat in my app. Adding the easy possibility for users or curious people to reach out gave me so many more possibilities to understand my ideal customer profile than when I was building blind.

Fly wherever you want, but don’t fly blind. This is my risk management motto, but it applies very well to deciding what you should build as well.

Where can we go to learn more?

If you have any questions or comments, drop a comment below!