Ending Cyber Risk for SMEs in Australia, with Steve Hunter from Arctic Wolf

In Episode 012 of REDD’s Business and Technology Podcast our hosts Jackson Barnes (BDM – REDD), and Brad Ferris (CEO – REDD) interview Steve Hunter, Director, Sales Engineering at Arctic Wolf ANZ. Steve shares his insights from starting as an engineer with Cisco, to moving to Forescout, then to Google and ultimately to Arctic Wolf on the mission to end cyber risk for SMEs in Australia.

At Arctic Wolf, the mission is to End Cyber Risk through effective security operations. To achieve this, they believe that organizations must do three key things: 1) Optimize existing IT and security controls 2) Add expertise to establish 24×7 coverage 3) Continually review their cybersecurity posture and implement strategic actions to strengthen it

Arctic Wolf recently launched in ANZ with REDD as the official launch partner. Reach out to the REDD team to discuss how the REDD and Arctic Wolf partnership can help you eliminate Cyber Risk in your organisation.

Recorded Thursday, December 8^th, 2022.

https://www.linkedin.com/company/redd-digital/

https://www.linkedin.com/in/bradley-ferris/

https://www.linkedin.com/in/jacksonpbarnes/

https://www.linkedin.com/in/stevenhunter/

Arctic Wolf | The Leader in Security Operations

Thanks for watching!

You can find the full transcript below!

– ♪ Yeah ♪ ♪ Whoo, whoo, womp, wop, womp ♪ ♪ Yeah ♪ ♪ Life, life, ooh ♪ ♪ More, yeah, every day ♪

– Hello, and welcome to “REDD’s Business and Technology Podcast.” I’m your host, Jackson Barnes.

– I’m your co-host Brad Ferris.

– And today we’re sitting down with Steve Hunter, who’s a director of sales engineering for Australia and New Zealand for Arctic Wolf. And we on this episode his journey to end cyber risk Down Under. Steve, thanks for coming in. Really appreciate it. Did you want to start off with your background before we get into what you’re doing now and what Arctic Wolf does?

– Absolutely, and thanks very much for having me, Jackson and Brad. Really appreciate it. I started my life, actually, not on the vendor side. I’m four weeks into working with Arctic Wolf, and I’ll tell you little bit about that story in a second. But I actually started with three mates back down in Adelaide, running a very small reseller, so I come out of the SMB market back in the early ’90s and very quickly realized that running your own business is extremely difficult and you end up working full-time, 24 hours a day, seven days a week, and shifted from there while I was at university to work for what was Western Mining at the time, is now BHP, at their Olympic Dam operations in outback South Australia. I was a programmer, a database analyst, working in the mine on the processing plant, living in outback SA. And during the journey that I was there, I actually became the IT manager for BHP, west mine at time, at Olympic Dam uranium mine and ran a small team when I was in my early 20s of six help-desk staff and ran IT. Shifted from being internal IT at Western Mining to work for Dow Corning. They’re a international chemical company, where I was doing networking and CIS admin and IT infrastructure all across Asia-Pacific. Eventually moved to Sydney and started working as an IT guy for a company, hopefully, that you know, Cisco Systems, networking company. And I was an internal IT guy for Cisco for five years, which was awesome. I was doing networking for a networking company, super interesting, super challenging. And in that process, I was doing a lot of work with IP telephony back in the early 2000s, just when it had first come out. And so the dominant vendors at the time were Avaya and Nortel, and Cisco was the little fish in the big pond of introducing IPT. And discovered in that process of being in IT that I really liked talking about what we were doing in Cisco IT with external customers. And so the sales teams would bring me in. They’d say, “Hey, Steve, tell us the story of Cisco on Cisco and what we’re doing and how you’re getting value out of the technology.” And what ended up coming out the back of that was I got offered a role in the Cisco sales team to come in as a systems engineer and work with external clients on IP telephony at the time. Eventually went on to do data center in security, and I moved to Singapore with Cisco, where I married my lovely wife, Louise, who I met at Cisco. She’s a Brisbane girl, so all my in-laws are up here. I was up in Singapore for about eight years. Shifted out of being an individual contributor to leading the systems-engineering team for Cisco, looking after our 28 largest customers in the world, about team of 35, and did that until I moved back to Australia in 2015. And at that point, I’d been at Cisco 16 years, and an old colleague of mine who was with me in Cisco had gone off to join a pre-IPO cyber company called Forescout.

– [Jackson] Forescout.

– And Forescout competed with Cisco. It was the third-place network access control vendor in the market in APAC, and it competed against Cisco and HP Aruba. And he convinced me to come on board not because of what they did with NAC but because they were addressing a new capability that addressed a risk related to IoT and visibility and security at the time. Did that for the next five years, based out of Sydney, traveling around Asia. We had about 800 customers for a Forescout. And then, COVID hit. I was still with Forescout, sitting in my bedroom doing the working-from-home thing. And some ex-colleagues of mine from Cisco had gone and worked for Google Cloud. Had introduction to Google. And then, back in mid 2021, I actually got the opportunity to go work for Google Cloud. That’s where I’ve been up till about four weeks ago.

– What were you doing there? What role?

– Head of customer engineering, so I ran, or led, a team of extremely smart engineers across all technologies; it wasn’t just cyber; for, initially, large enterprise so very similar to what I did at Cisco. We worked the large end of town. But then, all of this year, I’ve been working with mid-market enterprise and the digital native startup community. Fantastic up until about, yeah, four weeks ago when I shifted to Arctic Wolf.

– That’s a massive career already. And no doubt, Cisco, when you started there and what you were doing in the IP tel, they dominated that market for a long time after. They were a small fish when you started, a bit different. When did you shift more into cybersecurity?

– So, it’s interesting. When I was in IT, we didn’t call it cyber back in the day. This was all infosec. Part of that was a component of the role of being in systems administration and networking, so there was network security, and there’s systems admin security. I was part of the very early teams at Cisco that responded to Code Red, the Melissa virus, the ILOVEYOU virus, if you remember that stuff from the early 2000s, so got exposed to that. But we also had a separate infosec function at Cisco. When I shifted into pre-sales engineering at Cisco, one of the topics that you cover is network security. There’s a big product range that Cisco has with security. And so about 2008/2009 was when I started working with security products and security teams in customers. But then, dedicated to security and cyber only was 2015, when I moved to Forescout.

– Yeah, right, and that industry’s gone nuts since then. Maybe we’ll circle back to that. Just to finish that journey then, now, you are landing as the director of sales engineering for Australia and New Zealand’s Arctic Wolf, which means you have left Google after spending ages of getting there, which is pretty rare. Why did you make that jump from Google, the massive giant, which sounds like that was a pretty good role, only after a year and a half, to Arctic Wolf?

– Yeah, that’s a really good question, and there was a little period of time a while ago I was asking myself the same question. No, let me say I was not in any way prepared to leave Google. In terms of as a technologist that is doing super-interesting stuff with customers, Google is the place to be, and interestingly, Google’s the number-three hyperscaler in Australia, very similar to how Forescout was the number-three NAC provider in APAC. And Cisco was the number-three IP telephony provider when I started there. I have a bit of a thing about going for the underdog. And so if you’d asked me six-seven weeks ago, “What’s your career plan?” it was to be at Google for the next three or four years. One of the advantages of being in a leadership role when you’re working with technologists is you get to be a little bit smarter every day on the back of working with amazing people. And so a lesson I learned really early from a colleague of mine at Cisco when I was making the decision to become a people leader of smart folk, rather than try to be one of the smart folk, was part of the job of the people that work with you is to teach you stuff that you find interesting and that they find interesting. So being an SE manager or a sales manager or an engineering manager means, if you’ve got the right attitude, you can get a little smarter every day. And at Google, I had some absolute weapons. They were amazing engineers and across all topics. When it comes to AIML and data analytics and running things at scale, Google scale, every week was a week of learning something cool and interesting from one of my team or somebody at the worked at Google.

– I can imagine it would be. You’d been learning what Google’s doing from a forefront-of-technology global leader. And then, you’ve got your team as well. You probably get some high-end customers. You’d hear their unique problems and challenges and how to solve those. You would have been learning a lot, so why make the move?

– Yeah, great question, yeah, and actually, that’s a great point. The customers themselves, how they use the technology, that’s… Probably the most fascinating part of working in a pre-sales function is you get to see all the crazy stuff that people do. Why leave Google? Well, the story is actually interesting, that I was having a one-on-one with one of my staff members, one of my engineers. And he had seen that Arctic Wolf was advertising to come to Australia, and he asked me in our one-on-one. He said, “Steve, this looks a lot like what you did at Forescout, and they’re just coming to Australia. Are you, by any chance, applying to this Arctic Wolf role?” and it turned out he had some mates that that worked there. And I said to him, “No, Arctic Wolf? Never even heard of them,” finished the 101, went away, had a look at the role, and had zero intention to go leave Google. But then, I looked at the mission that Arctic Wolf is looking to solve for, right? You said it at the start, right? The mission here is to end cyber risk. Pretty lofty goal, but it’s prevalent in its core to how Arctic Wolf goes to market and why we do what we do. And so I did what, I think, a lot of people would do. I had to look through LinkedIn. I was like, “Do I know anybody that works at Arctic Wolf?” And an old colleague of mine from Forescout had been at Arctic Wolf for about two years. And so I pinged Jim in the U.S. just over LinkedIn; I hadn’t talked to him for a year and a half; and said, “Hey, Jim, can I get five minutes with you just to find out a little bit about Arctic Wolf and what the journey’s like?” And I had that call with him, and oh, for 15 minutes, he was so passionate and so excited after two years, and I knew him from Forescout, that his enthusiasm rubbed off of me. The mission for Arctic Wolf is focused in the mid market. It’s not the top end of town, and I’ll talk about that in a second, why I love that mission. And I convinced him to contact the hiring manager, who, I believed, had already gone a long way down hiring for Australia just so I could get a chance to meet them when they came to Australia. This is six weeks ago. Excuse me. So I had the opportunity to meet the worldwide head of engineering for Arctic Wolf, guy called Lane, who you might have on the show a little bit later the year. If Jim was a 9 out of 10 passion for what he was doing, Lane’s a 15 out of 10 passion, and you guys have met Lane.

– Yes, I’ve met Lane.

– So you’d know a little bit what I’m talking about. One of the big things about what Arctic Wolf does is we’re not a product vendor. I’ve been in product-vendor land now for 12 years, and even at Google, they’re solving some amazing problems, but it was still a product or a piece of software or a component or a jigsaw puzzle piece that we would convince you to use, and you would assemble it yourself, and you’d have to build it and operate it and whatnot. And you can use partners to do that. But in the cyber world, even with Forescout, we were on a very pure mission to identify the unknown unknowns in your environment so you can protect yourself. And it wasn’t for lack of a positive intent, but geez, it’s hard to do. And so if I look at the end customer, if I’m one of the big banks in Australia, my cyber team’s 300-400 people, so when I take a meeting from a vendor who’s got their new piece of wares to sell, yeah, I can afford to take the time. I can take a look at it. I can see if it addresses a component of capability that I need to reduce risk or address an issue. Then I can operationalize it ’cause I’ve got loads and loads and loads of people. If I’m in the mid market and I’ve got 5-10-15 IT staff and I’ve got to deliver value to the business and I’ve, unfortunately, put the word security in my job title in LinkedIn, 100 vendors are going to hit ya up every week and try and sell you, with all good intentions, their product. Arctic Wolf doesn’t sell the product. Now, we have a product. We have a product that we have written and invested in and created for our team to deliver outcomes to customers. But Arctic Wolf is an extension of the customer’s IT team. The true objective is to reduce cyber risk and, really, end cyber risk for that customer. And if you think about risk as defined by… It’s the probability of something bad happening and then the impact of that bad thing happening. If I can get either of those sides of the equation low and ideally zero, effectively, I have ended cyber risk for that organization.

– That’s a big thing, and that’s interesting, what you say about mid-market, because having 5 or 10 people in the IT team then responsible for cyber as well, people expect that they are looking after cyber security in their business. But even in smaller businesses, they’re your general managers and CFOs, who are responsible for cyber in a business, and the IT stuff is beyond them.

– Well, the risks are the same, but to mitigate that risk is unfeasible. And so that’s why that Arctic Wolf solution is so unique in the marketplace is because it does now make that mitigation strategy affordable for everyone.

– Let’s elaborate a bit more on that before we go on to other questions. How does Arctic Wolf help businesses protect and therefore end cyber risk? What do they actually do for a business?

– The core of what Arctic Wolf does, it’s two things. A term that most folk will know is managed detection and response, right? We’ll have an MDR, as we say in the industry, MDR offering, and what that means is that using the tooling that you’ve already invested in and all the stuff that you’ve already got, which you may not be operating as effectively as you’d like and you’re certainly not watching 24-by-7. We’ll take all of that telemetry, and we’ll bring it all back into Arctic Wolf and into the Arctic Wolf platform. And we do that at scale, and we do that for 4,000-plus customers worldwide today. That gives you the response piece, and if we think, say, in the NIST framework, the cybersecurity framework, of protect, detect, respond, recover, this is the detect piece. So you’ve spent all this money on tooling, sent that off to somewhere where we are going to be able to watch and monitor, give ya high-fidelity alerts, do all the triage so that, when you get a ticket or a contact from an Arctic Wolf engineer, you know it’s something you need to do something about. That’s table stakes. There’s a lot of MDR offerings out there, and people have been using MDR for a while. That isn’t the reason I came to Arctic Wolf. There’s an approach that Arctic Wolf takes, which is how do we deliver this service, and there’s a function we have called the Concierge Security Team. These are named engineers; we have them here in Australia now; they’re currently onboarding as we speak; who become an extension of the customer’s IT team. They know the customer. They’re able to give the context that is needed to do proper event triage when we’re ingesting all this telemetry. They have the customer context. Now, in the event that nothing happens with a customer, if I’m a small business and I’ve paid for all this tooling and I’m running my business for the year and I never get a ransomware incident and I never have a business email compromise so I have a perfectly clean year, and gosh, I wish that that’s the case, what value did I get from the MDR service by itself?

– None.

– Well, I got some productivity value.

– Peace of mind, maybe?

– Yeah, I wasn’t looking at the alerts, okay? I didn’t have to do that, so my team gets some benefits ’cause they’re not processing alerts. I’m not having to deal with it, but outside of that, not a great deal. Maybe ticked the box for compliance, too. But in that year with Arctic Wolf with the Concierge Security Team, that team works with you to build a security journey, and that security journey is specific to you, the customer, because we work with you to know your business, but it’s leveraging the fact we’ve done this for 4,000 other customers and built these packages. We call them SPiDRs, security posture in-depth reviews, but we pull together a journey of SPiDRs, which takes you from point A, where you are now, to the end of the year to be in a better place.

– That’s effectively a bunch of best-practice implementations that you can roll out to client, depending on where they are in their security journey?

– Yeah, spot on. Exactly right. So that, every month, you’re getting better and we’re taking you on a intentional journey. But it’s your journey, not our journey, but it is prescriptive, and it is best-practive, and it gets better every time. Because we’re doing the collective-defense piece, we’re learning from 1,000 of these. We’re doing an exchange, sorry, an active directory administrator account review, for example. That process of how you deal with privileged accounts and identifying the environment, we’re doing that for 1,000-2,000 customers, so we make that better every time as things move on.

– One of the differences there is you are a service, not a tool, to begin with. But then, you are essentially a fully outsourced security operations for a business is how they look at it and help them with their strategy as well as you are their MDR response and everything else. Is that right?

– Yeah, spot on, exactly. The Arctic Wolf Cybersecurity Operations Center is one of the largest cyber SOCs in the world. We have the benefit of collective defense related to that, but I think it’s the journey that is the important piece and backed up by 24-by-7 response and all that ’cause you want to be able to respond and detect, but it’s a virtuous circle that the better we go on the proactive side, the better we are at being intentional about security strategy and security posture uplift and user education and security awareness training. The better we are at that, the less we need the MDRs, the fewer alerts we have to triage and all that. So the better we get at the front end, the easier it is to identify the things we need to deal with at the back end when we’re reacting. But that journey is customizable because it might be that we’re going to do a journey of the year to get certified for ISO 27001. Maybe that’s what we’re trying to do. But then, we might need to take a detour mid-year because ya do have a business-email compromise or you do have an incident. And so then that does two things. We’ve got to be able to respond and react to that, and that’s where incident response comes in and maybe other partner services as well. But then, there’s fallout from that, which is “all right, what do we learn? And what do we have to do differently moving forward?” Okay, let’s modify the journey to incorporate that so we get those outcomes. And then, we go back and complete the rest of the journey. The focus, this is the awesome part. The focus here is mid-market. We want to work with customers that have spent a bunch of money on tooling and whatnot to get the most value out of what they’ve already invested in but then get this security uplift over time.

– And then, we probably should touch on that engagement model a little bit, so in that mid market, generally partnering with someone like REDD, who’s effectively playing that IT-team role for the client and using all their expertise on the front end to implement some of these changes, these features, these events, if you like, that need to be implemented for the clients in their tech stack.

– Spot on, and so the role that a technology-success provider, like REDD plays there, it’s twofold. It’s leveraging the expertise that Arctic Wolf is bringing to the table related to “well, this is what ya have, and here’s how you make what ya have better,” and already, you guys are helping customers with that. But it may also be there’s missing capabilities, and rather than listen to yet another vendor pitch from yet another category of cybersecurity tools, being intentional about what you want to look at next in terms of “okay, we want to be able to go to the board and say we’re looking for an investment to uplift our capability,” well, how do we quantify where we are today? We do that as part of the baseline service. And then, how do we quantify the risks we’re looking to address or mitigate with the investment that we’re asking for and then working with a partner like REDD to get those acquired and then implemented?

– That’s pretty unique, actually, ’cause there’s a lot of services out there that do the endpoint detection response or MDR, but they’re definitely not going to help you with strategy on cybersecurity in your business, right? And there’s a lot of network-monitoring tools that do a similar thing, but they’re not going to come back to you and say, “This is where you’re at today. This is where you need to be,” and create that journey for you, so that’s very unique, actually.

– Yeah, spot on, and actually, on that topic about endpoint security, one of the other things I’m just getting exposed to now that I’m in my fourth week at Arctic Wolf is Arctic Wolf collects an epic amount of telemetry. We’re in the vicinity of two trillion events a week being ingested into our cyber site. There’s a lot of intelligence that can be extracted from that, and we have a function inside Arctic Wolf called Arctic Labs, and I’m just coming up to speed on this now, but one of the pieces of insight that they’ve shared with the teams is we take telemetry from lots of different places. We take it from endpoint. We take it from network. We take it from SaaS applications, like email and Salesforce. We’ll take it from external-threat fees as well so collect all of this information from lots of different places. What percentage of the incidents that we have to escalate to customers comes from the endpoint telemetry would ya guess?

– It’d have to be over half. Over half?

– I’m not even going to try.

– I’ll say over half.

– Yeah, I would’ve thought 50% or 40%, something like that. It’s in the vicinity of 15 to 18%.

– Really?

– So it’s less than a fifth.

– That’s interesting. Just to clarify that, 15-18% of logs are coming from the endpoint antivirus tool.

– Let’s call it, 20%.

– Is that including the sensors as well?

– 20% of the incidents that we have to escalate to a customer to manage so real incidents are sourced from endpoint telemetry, which means 80% of the incidents that we escalate to customers… We wake ’em up at two o’clock in the morning to “hey, you’ve got to do something.” 80% of those incidents are coming from other sources: Network, SaaS.

– Like network, .

– Yeah, exactly. Does it mean you can get away with not having endpoint protection? Absolutely not, because, if you didn’t, then it’d be 90% is coming from that. So the endpoint protection tools are doing their job, 100%, but it does mean that it’s not a complete story if that’s all you’re looking at.

– What size business should consider outsourcing their security operations? Probably might be some value for the audience there because that is very interesting, and I’d say that, definitely five years ago, it was only universities and state-government agencies and defense and stuff had their own security operations, and banks, those kind of things, right? But if you look at even hospitals these days, they don’t have security operations internally and some of ’em not even externally. What size business should start to consider something like outsourced security operations?

– Yeah, you could almost flip the question around and go, “What size business would it make sense for you to insource security operations?” And I think we’re really only talking very, very large enterprises, and even very large enterprises will outsource some elements of their security operations. But two windows I would look at that. There’s the core-versus-context conversation. Is security core to the brand for what you’re doing? If you’re a Visa or MasterCard, security and trust, massive, right? They have one of the world’s largest SOCs, as well. But if my mission is to deliver high-quality refined manufactured goods in Australia for distribution around Australia, is security core to what I need to be delivering as an IT function? Well, unfortunately, the answer is yes today. Absolutely, security is core for everybody, but am I going to have the capability to hire the number of staff that I need, put up a 24-by-7 monitoring environment, and then be confident that I can maintain that over time and get a good outcome? The answer is no, and the answer is no for pretty much everyone under 1,000 employees, under 1,000 managed endpoints.

– That is before it was even semi viable internalizing a security operations team. Is that what you’re saying?

– Yeah, exactly, and the figures, they’re vary a little bit, but if ya look at the SANS training related to this, you’re looking at six-to-eight people to staff at 24-by-7 operations center. So we’re going to, generally, want to outsource the context operations for managed detection response, a bit like log monitoring as well, lot of folk are outsourcing to NOCs and managed providers for that. Yeah, so that’s the where I would look at there is it’s that mid market where I can’t start… And staffing a cybersecurity operation center, by the way… I was at Google, and I was, part of interview process, trying to hire security people.

– Yeah, if you can get them.

– I couldn’t get people. It took us a long time.

– Even with a big brand like’s Google?

– That’s nuts at Google.

– Yeah, it’s crazy. The skillset is in such demand in Australia it is an absolute challenge. And then, I don’t know if you’ve seen in the press just recently. They’re viewing cyber SOC analysts as the call centers of the IT industry in that the churn for people coming in, burning out, and then leaving is very high.

– Yeah, I’ve have heard that the burnout for cyber engineers is massive right now. I can imagine, running 24-7, dealing with threats, stressful environment. And even, recently, ’cause all the big breaches in Australia that happened, they’ve probably got a lot of questions fired back at them internally saying-

– Spotlight’s on.

– Yeah, and so that would be a big concern. From what you said, Steve, with all yours years of experience, that unless you have 1,000 employees, don’t even consider building a internal security operations. What size business would you advise should be considering outsourcing their security operations? Is it down to 100 people? Less? Or what does that look like?

– Yeah, everything’s a risk-based decision when it comes to this, and I know it’s a bit kitschy to say that when you’re in IT, or in infosec slash cybersecurity, “everything’s a risk-based decision,” but it is. And a great example of that, there’s some amazing companies up here in Queensland that I work with in Google Cloud. The innovation coming out of southeast Queensland, it’s off the charts. And there are companies that are doing some amazing intellectual property development, and I know you had an IP lawyer on here just recently. They’re not massive companies. They’re 10-15-20 people. But the value of what they’re creating is in the tens of millions, hundreds of millions, of dollars. Now, for them, 100%, I would be looking at a high-quality high-caliber outsourced security operations but also a long-term security strategy because that is core to how they protect their business. But outside of that, in general, it’s going to be in that 50-to-150-50-to-300 range as where you going to get the most value in outsourcing a great deal. And we’re almost not outsourcing, ’cause that sounds like you’re outsourcing responsibility, but having a external party be part of your security journey.

– Yeah, you’re just leveraging a team of experts that you couldn’t practically employ and manage internally yourself.

– And one bit of aside by injection here, when I first started working in networking when I was at Western Mining, I had the opportunity to work with… We had a problem with a Cisco switch. And I was pretty new to networking at the time, and I remember calling up Cisco TAC, if I remember those guys back in the day, and calling Cisco TAC and getting help. And Cisco had and, to a degree, still has the reputation for the best post-sale support. And I worked with this guy. These are technical support engineers, essentially, in a call center that were just absolute weapons. They were technical guns, and they were amazing. And when I joined Cisco, excuse me, I was in IT, and I was in the same building as Cisco TAC down in Chatswood, Sydney. And I was very curious to know why would someone stay in a technical help desk, why would somebody stay in support. And we had guys at Cisco that had been in support 25 years, and the environment that the support managers created for the Cisco TAC engineers… These guys were CCIE, they’re multiple CCIE, they could go anywhere, but they choose to stay in customer support because, when I looked at them at the time, they were on the phones for taking calls typically for four hours out of an eight-hour shift. And then, the other four hours is recreate or playing pool. Back in those days, it’s shooting Nerf guns around the office. But the support managers realized that it’s a hard job to get really skilled people to want to stay in. And so they built an environment where the culture of that team was amazing, and I get a sense, walking around the REDD offices, that’s what you’re building here. Arctic Wolf takes the same approach for the cyber SOC. How do you get hundreds and hundreds of cybersecurity analysts to come work for you and have a career journey in the SOC, which is the call center of cyber. And it’s to, essentially, take the same approach. I’m looking forward, eventually, to getting out and seeing them overseas, but they have a intentional approach to bring people in from industry at senior levels and from university early on and then give them a career journey in cyber, where you might want to be in that place for three or four or five years.

– It’s been one of the highlights of this journey of building the relationship with Arctic Wolf is seeing that culture. And me, I’ve been lucky to meet a lot of the team overseas as well. Yeah, everyone’s so passionate, really friendly, great vibe. Everyone believes in the mission, so I’ve really joyed that part of this journey with Arctic Wolf.

– Sounds like part of the reason you joined, Steve, is the passion you felt from a former employer you used to work with over there, right? And then, you had Lane on the call, and the passion was too much.

– And it’s easy for me to get distracted on tangents, and I realize I didn’t answer your question for why Arctic Wolf. I met Lane and had this 30-40 minute conversation with him down Circular Quay. And I walked away, and I remember saying to him, “Look, I know maybe I’m not the guy. Maybe you’ve already picked somebody. I get it.” And I hadn’t applied for a job in 20 years. It’s mostly through networking and people that I have had my career path. This was a job that I applied for, I canvased for, because I met the team and was like, this is really going to help the middle part of Australia. Being in cybersecurity in Australia, you got to think of it like the Team Australia approach, right? We all want to be successful. We all want to reduce cyber risk. We want to do good things for Australia overall. And bringing Arctic Wolf here… And they’re very intentional, by the way. Arctic Wolf’s been around for 11 years, has in excess of 4,000 customers, one of the world’s largest cyber SOCs, and has never come to Australia until two months ago, actually, launch partner here with REDD, just amazing. They didn’t go to Europe until April last year. They’re super intentional. We are super intentional about coming in and doing it seriously. By the way, if people listen this podcast and are interested in a career in cyber, please, look me up on LinkedIn, come because we’re hiring and we’re growing. But the mission is amazing.

– I do want to touch on the Australia plans shortly, but before we get there, one of the challenges, I think, that IT managers and CIOs, people responsible for technology, who get bucketed with cyber as their responsibility as well, which is 99% of people we speak to, I would say, that cybersecurity gets bucketed with the IT team is their responsibility… What advice do you have them for going to their board or CFO or CEO with this “we want to get Arctic Wolf or outsource security operations. We have this much risk,” for example? How would you go about that if you were sitting in their shoes as a CIO responsible for cyber as well but don’t have any cyber operations now, basically?

– Interesting, actually. Having been an IT manager in my pre-vendor career, I have a lot of respect and admiration for people that choose to be in that role today. The legal requirements that are increasingly putting upon directors of companies is significant. And I think, if the listeners or the viewers take a look at… There was a Corporations Act, ASIC versus RI, I think. You could search it for on Google, but essentially-

– RI Advice, yeah.

– Yeah, RI Advice.

– In Brisbane, actually.

– Oh, I didn’t know it was in Brisbane. I saw it in the press, and I looked at it and went, “Aw, that’s concerning.” In terms of a duty of care as a corporate director under the Corporations Act now, if you’re not showing due diligence related to cyber, you can potentially be taken to court. Now, we understand that there’s the Privacy Act. Australia’s generally pretty good with the regulations that we have to comply to under the Australian Privacy Act and align to the privacy principles and whatnot. But to answer your question, how do I go to the board and justify investment in cyber? But the reality is you’re not justifying investment in cyber. What’re we doing? We’re looking at addressing business risk. How do we do that? We start with quantifying what that needs to look like or what the business risk is today. I guess the good news on that is this is very topical. It’s certainly very topical the last three months, with everything we’ve seen, but increasingly, there’s education in the director’s training and from legal advisory and from professional advisory as well that’s very familiar with quantifying business risk and helping you get to a position where you can say, “Actually, we know where we’re at right now.” The investment in something like MDR is not a massive investment.

– [Jackson] No.

– Especially compared to the amount of risk that you mitigate by investing in it, but to answer your question, it is about having a risk-based conversation, understanding your risk. It’s a business conversation.

– Yeah, a risk conversation, that’s definitely the approach that makes sense. And that’s good advice. And yeah, the RI Advice case, they actually got a $3/4-of-a-million fine for not listening to advice from their current IT provider, so that was definitely scary. And other cases where directors are getting more scared about what’s going on and know the maximum penalty just got approved, actually, from $2.2 million up to 50 million or 30% of turnover, which is even more, I guess, highlighting the risk.

– And we’ve talked about this, I believe, on different episodes, but again, for listeners/viewers, the Australian Institute Company Directors has just published quite a good guide around principles around cyber governance and how to manage that, so definitely would recommend anyone typing that into Google and pulling those up.

– Or we chuck it in show notes somewhere, surely.

– Yeah, I’ll chuck it in the show notes, good idea.

– That’s good advice for IT-manager CIOs going to the board and having the risk conversation. I just want to get your feedback. You’ve been around in the infosec, or cybersecurity, industry in Australia for a long time at a pretty senior level. Where do you think the current state of cybersecurity market is in Australia now? And what does Arctic Wolf bring to that?

– One of the interesting things about Australia is, as a country, we punch well above our weight when it comes to technology. We tend to go early with advanced technology. We’re a very sophisticated user base, if you like. And I saw this at Cisco, I saw it at Forescout, I saw it at Google, and I’m hoping to see it again at Arctic Wolf. I spent a little bit of time. Pre joining Arctic Wolf, I went down to Canberra and did some training from the IRA processors program with the ACSC and their authorized providers. And the thing that I feel good about being in Australia right now is that the government is taking it seriously and not so much on the regulation, the penalties. There’s a great argument: if you increase the speeding fine, does that mean people are less likely to speed? Maybe, maybe not. But the push from the government to be more publicly focused and company-focused rather than commonwealth-focused around cyber education and helping companies navigate this new world that we’re living in today, they’re playing a very active role in that. And I know you’ve talked about Essential Eight in a few podcasts with a few guest members, but the ACSC’s taking a very deliberate and public stance around cyber education and capability uplift in Australia for the good of Team Australia. To answer your question, what do I see the state of the market, we’re shifting away from a tools market, right? And as I look at vendors that are coming to Australia and the startup ecosystem, there is a shift to outcome versus capability or technology. And I think that Australia is going to get there very, very quickly. In the same way that I’ve seen us adopt advanced technologies rapidly, this shift away from technology to outcome, delivered, ideally, through innovative and scalable technology platforms, et cetera, it can’t be solved with people, ’cause we don’t have enough people skilled in the right places. We’re not bringing them in. There’s a net decline in technical capability in Australia. It needs to be that combination of government with regulation with education, technology capability coming in from vendor land, to address the technology challenges in innovative ways with a mindset that is very Australian, which is we’re going to lean in and we’re going to do innovative things quickly. You know, we are often the underdogs. We’re a country of 20 million people, or 25 million people, that punches well above its weight in terms or how we consume technology and what we use it for. I feel optimistic, but the challenge is definitely significant.

– Yeah, it is good, actually. There has been a lot recently, since these big breaches that have happened, that is just getting spammed out from Australian cybersecurity, who do a pretty good job, and AICD and a bunch of other organizations. That’s really good.

– One comment I’ll just throw in there, which is, these breaches that’ve happened just recently, it is not for a lack of tooling and is not for a lack of good intention that we have these problems. The challenge is really no different with the Optus breach, for example, which, I know, you talked about on an earlier show, and there’s a bit more information out there now than there was. Was the tooling doing what it was supposed to do? Absolutely, yes. Did anybody respond to that tooling? Unfortunately not. How different is that from 10 years ago, or 2014, when Target got breached and the tooling that they had was lighting up the malware-is-moving-laterally-alerts alerts? But it was just lost in a sea of noise in the Target SOC, so in that respect, nothing has really changed in the last eight-nine years.

– Tools have maybe got better, right?

– And there’s certainly more of them. The frustrating thing with cyber, for me, when it comes to talking about it with any organization, is that it’s one of the few areas of technology where we don’t see a lot of consolidation, you know? If you’re an old guy like me, you had choices in networking before TCP/IP and ethernet. They were options back in the… We were Decknet and FDDI and Token Ring and stuff. Microsoft Exchange and Active Directory wasn’t always the directory service that you were using. You might’ve been using Banyan VINES or Novell or something like that, but over time, you’d tend to find that there’s consolidation in technology, except for cyber. If you’ve ever been to RSA, there are 3,000 cyber vendors trying to spruik their wares, and there are 700 or 800 of them that are new every year, so how does a IT manager or a CISO stay across all of those as well as everything else they do in their job?

– Why do you think that is?

– Ah, it’s interesting. I think it’s because security is often something that’s thought about late when new technology comes out, so security isn’t part of what we think about when we create new offerings. And the perfect example is the iPhone, 2007. We finally cracked the code on antivirus and managing Windows endpoints. And then, okay, Mac came in, so we had to deal with that, and it was outside of school. But we got that sorted. And so you got your AV on your Mac. And then, 2007 comes along, the iPhone launches, and what happens? Every executive and every end user’s like, “This is fantastic. It’s great for my productivity. Let me bring it into the company.” And what happened? Well, we had to create an entire new category of security tools related to mobile device management, do MDM, and it’s like, “All right.” Every new innovation that comes along has a knock-on effect related to security.

– It comes with a risk.

– And it comes with a risk, and it always comes second. It’s not like we were like, “Oh, we’re not going to release the iPhone until we’ve got a way to securely manage them in the enterprise.”

– Well, they’re trying to innovate, as well, right? Apple’s always been about creating a new thing and cannibalizing their old product and moving forward. When you do that, it’s hard to pause for six months with that crushing new technology while we figure out the cyber side, so it does always come after.

– Exactly right, and it’s one of the challenges I see with CISOs and with IT managers that have security in their remit is how do you innovate safely. Ya let enough new stuff come in, but you’ve got the guardrails around it so that you’re not exposing yourself overly, but you can never be fully, fully, fully secure. But yeah, you just got to do it in appropriate fashion, but I actually saw it at Google, too. A lot of the innovation that’s coming out there, what are the security implications of AIML and robotic process automation, all of that. I haven’t seen the tooling or the category for that yet. I am sure it’s coming.

– Yeah, and there’s IoT and that kind of thing as well.

– I could ask a lot of questions, but I know that you’re watching the clock, so I’ll let you.

– No, you go, you go.

– No, no.

– You get one question, Brad.

– Well, I do want to talk about what’s coming up.

– Yep, yeah, I do want to touch on that as well. One other thing I did want to touch on before we get to that… We’ll finish on that. You’ve led teams in IT and cyber and infosec for a long time now. What makes you good at managing technical teams? ‘Cause that’s essentially what you’re going to be doing at Arctic Wolf, right? How do you find someone good, retain them, and manage them, ongoing.

– Now, I almost don’t want to answer this question, because you guys are going after the same folk that I’m going after.

– [Brad] We’ll be nice. It is literally the best part of this job. When you move into people leadership, there’s a lot of not-fantastic stuff that comes with it. There’s a lot of administration, et cetera. The best part of this job is being able to work with smart people. People want to be good at… They want to have an expertise, and they want to be able to show it, and they want to be able to use it. They want to be operating in the place that they’re the strongest, and they want to get better over time in most cases. And so my philosophy around leading technical teams, first up is I’m privileged to say that I’ve led teams a lot, lot smarter than me and that I’m not intimidated by it but that I love it because if a little bit of your job every day is to make me a little bit smarter, that means that I’ve got 10 folk that are making me a little bit more educated every day. And I love to learn, right? You have to if you’re in this industry, I think. My philosophy around growing and leading technical teams is to appreciate and understand the passion for what we do. How do ya drive the passion? How do ya support the passion for what we do? A lot of what we do today didn’t exist five years ago, so you can never be more than a five-year expert in some area of technology, you know? So the fact that I’ve been around 25 years in technology just means I’ve done the five-year thing five times. Ya need to have something excite… Really, it’s the mission, so when we were revolutionizing telephony back in the day, we were the underdogs. That was a fantastic experience. And I did that as an engineer, as opposed to a manager. And at Arctic Wolf, why the engineers that I’m talking to are excited to come on board has to do with two things. It’s the mission. That’s the purpose, the vision for what we’re trying to do. That is pure. We can 100% get behind that. But it’s also how we’re doing it. And so the technology and the innovation and the hyper-nerd engineering stuff that’s under the covers is interesting to engineers so great mission, great tech. And then, ideally the managers just get out of the way and let ’em be amazing.

– Yeah, that’s good advice. That’s good advice. All right, Brad, did you want to go the next question?

– We had had a pre-conversation around the data sovereignty conversation because that does come up a lot when we’re talking to clients. And what’s difference between offshore/onshore? What kind of data? And I know we’d had a pre-conversation, and this was a little bit above my knowledge, but you had some great words of wisdom, so I’d just like to unpack that a little bit with you.

– Okay, for the listeners, for a little bit of history, I actually had the chance to catch up with Brad in Sydney just a couple days ago. And this topic comes up a lot, so I’ll talk about data sovereignty. Now, full disclosure: I’m not a lawyer. Seek appropriate legal advice to your specific situation. But I am seeing this challenge in the industry related to the term data sovereignty. If you google “data sovereignty Australia,” you’re going to get a lot of articles saying, “We must ensure that we have our data sovereign.” Full disclosure right now, Arctic Wolf does not have a presence in an Australian data center. It’s coming, but is not here yet. What does that mean in terms of data residency and data sovereignty? And how should you be thinking about it if we’re talking to you? First up, I’ve been guilty of this. Vendors do tend to co-opt industry buzzwords, and I saw it with visibility at Forescout. Then it was zero trust. AIML did a little stint in the cyber lands a couple years ago. And now data sovereignty’s quite rightly a topic that needs be discussed. My view on this is, first of all, skip the vendor marketing stuff, right? If you’re seeing a local sovereign data center talking about “the only way to be safe and secure with your data is to ensure that you’ve got onshore in Australia,” no, not really, the only way to be safe and secure with your data is to sure that you’ve got it classified properly and you’ve got it protected appropriately, because, if it’s onshore and poorly protected versus offshore and well-protected, I would take offshore and well protected every time. My guidance on this is to take a look… If you’re not in a highly regulate industry, you’re not in government, or you’re not dealing with health records, in general, the Australian Privacy Act is the overarching act that governs what we need to do related to protecting the privacy of Australians’ data. And there are the Australian Privacy Principles that you should align to. And this is not just vendors. This is you as a company. Need to align to the Privacy Act, the privacy principles, to ensure that we’re treating the collection and the management and the disposal of citizens’ data appropriately. And that’s the approach that we’re taking at Arctic Wolf as well, which is we’re aligning to the Privacy Act and the privacy principles related to data residency and ensuring that… At the moment, there is actually no requirement for you to have your customer data, even your customer databases, onshore. That’s not part of the Privacy Act, and it’s not part of the privacy principles. And actually, I think it’s privacy principle… I want to say it’s eight that deals with the appropriate handling of offshore data. So the more important question you need to be asking both yourselves and any vendor that you’re working with is “how are you protecting my data that I trust you with? And how are you aligning to this Austral Privacy Act and Austral Privacy Principles?” We might see that change in the future. There might be a need for onshore residency for some sorts of data outside of health and government, but that’s not the case today.

– That’s really good advice actually. I do agree that if you can offshore but it’s protected, secure with a trusted brand and proper processes, that makes a lot more sense than going with something you can go and have a look at but it’s unsecure in Australia.

– Unsecure locally is still, therefore, exposed internationally or offshore as well.

– Yeah, and I do feel like apologizing to the listeners on behalf of all the vendors that… It’s a force of habit to take whatever the topic du jour is and then morph your product into being that thing.

– Yeah, yeah, clickbait.

– Yeah, exactly, one of the reasons I’m glad I’m no longer at a product company.

– Yeah, fair enough. All right, so what’s next for Arctic Wolf in Australia? Ending cyber risk just launched. I know it’s been four weeks, but you want to share little bit about what the plans are for Arctic Wolf for entering Australia?

– Yeah, 100%. The plans here it’s exactly that. You know, the mission is to end cyber risk for the mid market in Australia. It would be great to say for everyone in Australia, but we’re laser-focused on the people we want to work with and the people that we want to help protect. That means growth. A very common pattern for vendors is to land a whole bunch of sales teams and then go solicit business. And then, eventually maybe, they’ll put in some customer service people and whatnot. Arctic Wolf, today, we’re 12 weeks in the country. I’m employee number four. We’ve got 12 on board now. There is one sales team. There’s actually only one sales person. Everybody else is working on customer success, project management, security operations. That all exists in Australia today. And so the mission from here is growing those teams.

– That’s exciting. What’s it going to look like in 12 months’ time?

– Aw, who knows. Based on what we saw in Europe, though… In Europe, we went from 0 to 100 people in about 14 months because we’re investing in an area that is really crying out for some help. And the approach that we take, it’s a people-oriented approach rather than a product-oriented approach.

– Thanks for coming in, Steve. Really appreciate it. Thanks for sharing all your insights on how you manage a team, the cyber security market right now in Australia. You’ve shared lot of good insights, so really appreciate it.

– Absolute pleasure, thanks so much for having me.

– No, that was great. Thanks for coming up. ♪ Life ♪ ♪ Life, ooh, more ♪ ♪ Yeah, every day ♪