The recent cyber attack on Marks & Spencer, which looks set to cost the company around £300 million (€350 million) in reduced profits this year, underscores how mission-critical protection against security breaches has become.
Organisations are increasingly dependent on experts in governance, risk and compliance (GRC) to keep them safe. These experts typically work as cybersecurity auditors in an increasingly complex regulatory environment.
The workload faced by auditors is huge and for the most part, they are still dependent on manual systems. This means it can take weeks to complete key tasks such as the gap analysis used to highlight vulnerabilities or shortcomings in an organisation’s security profile.
To address these problems, seasoned cybersecurity entrepreneur Donal Kerr has spent the last two years exploring how the application of machine learning and AI-powered software could be the game-changer the sector badly needs.
Last November, Kerr co-founded RunAudit with Tony Hughes, an IT security and technology risk expert. Kerr says the joint venture “upends the traditional approach to audit while providing a 10-times cost improvement and an automated, self-learning, easy-to-use solution to the market”.
He added: “Audit is a very important organisational function, but we have not seen a lot of innovation in this space. Right now, most of the work our software can do is being carried out by people.”
With RunAudit, an auditor can complete the gap analysis in minutes, saving weeks of manual document review. Regulatory standards have been embedded in the company’s AI model from the get-go and form the basis of its software, with processes and workflow tools designed around them.
“Another crucial aspect of our innovation is that we have found a way to minimise the cost of the AI system without what’s known as ‘token burn’,” Kerr says. “Token burn is where you use an AI system that charges you for every word ingested, and every word is a token.
“Open AI will charge you, potentially, per token for the number of calls you make to a system. That’s expensive. With our deep domain knowledge, we’ve been able to find a super-efficient way of doing things that doesn’t cost a lot of money to process large volumes of documentation.”
RunAudit is a B2B company and its potential clients are mid-tier professional services firms in the EU and North America. “A lot of consultancies have a GRC practice where they’re advising clients about adherence to international regulations to ensure a clean bill of health for organisational security,” Kerr says.
“For example, if you are a large enterprise transacting with a government department or another large enterprise, certification against specific security standards is often required. It’s on the auditor to check out the extent to which a firm adheres or does not adhere to a regulation.”
RunAudit will white label its solution to customers and will charge an enterprise-level software licence fee based on the number of users. The pricing structure will be finalised following a series of commercial pilots, which are due to run in the coming months.
Kerr adds: “There is a lot of great software on the market that can help companies prepare for audits, project manage them and complete them. However, our focus is on the specific role of the auditors and the challenges they face in a complex area with a shortage of qualified staff.
“It’s entirely reasonable to assume auditors have workflow systems to help them. In reality, they don’t, and this is the space we’re playing into. RunAudit can compress the sifting aspect of their job into a couple of hours and provide them with a red, amber and green analysis around compliance very quickly. This leaves them free to focus more on interpreting and applying legislation and having time to guide organisations towards better [cybersecurity] control.”
Better control could involve putting a company device register in place or ensuring that all company mobiles and laptops are connected to the same network so they can be tracked and secured in the event of a security breach.
RunAudit is a second-time start-up for Kerr, who is a lawyer by background and a former Fulbright tech impact scholar. He previously co-founded cybersecurity software firm 4Securitas (now trading as Dectar), which attracted €2 million in funding from an Italian VC fund in 2021.
Hughes, an expert in technology risk management, has spent the last three decades in roles connected to IT audit, risk and cybersecurity in the public and private sectors. The founders met during a North-South event to share cybersecurity knowledge and best practices in 2018. They have worked together a number of times since.
Investment to date is running around €100,000 between sweat equity and PSSF (pre-seed start-up funding) from Enterprise Ireland, while Kerr is currently taking part in the AI Ecosystem accelerator run jointly by NovaUCD and CeADAR, the national centre for AI. In terms of future funding, pitches to potential investors will begin later in the year with a view to raising €750,000.
“We’re starting with cybersecurity because we know it best, but our system can be used in any situation involving a lot of technical standards. For example, health and safety and pharmaceutical regulation,” Kerr says.
At present, the bootstrapped start-up has just one employee (a data scientist), but Kerr expects to have 15 staff on board by the end of 2026. The company will be based in Ireland but trading internationally.