Global cyber security insights with Arctic Wolf executives Lane Roush and Steve Craig
In Episode 016 of REDD’s Business and Technology Podcast, our hosts Jackson Barnes (Head of Business Development – REDD), and Brad Ferris (CEO – REDD) interview Lane Roush (Global Senior Vice President of Global Sales Engineering for Arctic Wolf) & Steve Craig (Chief Sales Officer – Arctic Wolf). Arctic Wolf is a global security operations giant who are on a mission to end cyber risk, backed by over 2,000 employees and one of the largest Security Operation Centers in the world.
We discuss the ever-changing and increasing global cyber threat landscape into 2023, what cyber security was 7 years ago, global cyber insurance insights, the real value of Penetration testing and what’s next for Arctic Wolf.
REDD is Arctic Wolf’s flagship partner in Australia and is working closely to end cyber risk down under. Click here to find out how REDD & Arctic Wolf can help your business mitigate cyber risk https://redd.com.au/services/cyber-security/
Recorded Thursday December 15th 2022.
00:00 – Intro
00:45 – Steve Craig Intro
01:42 – Lane Roush Intro
04:21 – Who is Arctic Wolf?
05:39 – Steve Craig – Who is Arctic Wolf
06:50 – What is the purpose of Arctic Wolf
09:49 – What does the market look like currently for security operations and in 3 years
16:35 – What questions do you ask internally when assessing different vendors?
20:34 – Go to Market Strategy as a differentiator
21:15 – What did the Cyber Security industry look like 7 years ago when you started at Arctic Wolf?
24:57 – What are your thoughts on the future of the industry?
28:15 – Are you seeing a trend where businesses are opting to self-insure around cyber?
30:06 – What are your thoughts on organisations getting penetration testing?
33:30 – How often would you recommend businesses get pen testing done?
35:33 – What are Arctic Wolf’s plans for Australia?
37:00 – What is Arctic Wolf’s plan for the future?
If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website or through any of the links below.
Thanks for watching!
REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.
REDD is a leading provider of the following services
- Digital Advisory Consulting
- Managed Technology
- Cloud Computing
- Cyber Security
- Unified Communications
We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward.
You can read the full transcript below:
– Hello and welcome to Redd’s Business and Technology Podcast. I’m your host, Jackson Barnes.
– And I’m your co-host Brad Ferris. And today we’re sitting down with Lane Roush, who’s the senior vice president of Global Sales Engineering for Arctic Wolf. And Steve Craig, who’s the chief sales officer from Arctic Wolf. We’re looking forward to this episode. We’re going to get some good insights to the cybersecurity industry over in the U.S. and globally. Steve and Lane, thanks for joining us. Steve, did you want to start with the introduction to yourself and your background?
– Yeah, absolutely. Jackson, Brad, thanks for having us. Really appreciate the time and look forward to the partnership ahead. So, Steve Craig, chief sales officer. I’ve been with Arctic Wolf for going on close to four years. When I joined, we were about 200 employees, and we had a sales team of about 20 sellers. And fast forward three and a half, four years later, and I think we’re well over 2000 employees and a team well north of 200 sellers. So, I’ve grown in responsibility and scope. I have responsibility for acquisition. I go to market globally. We’re 100% channel. So when we move into a new region or a new part of the world, we’re selling to our channel partners exclusively. And then I have responsibility for our sales development and sales enablement teams here at Arctic Wolf.
– Thanks, Steve. With that title and that amount of growth, you are definitely dominating your job. Lane, mate, did you want to introduce yourself and your background before you joined Arctic Wolf and how long you’ve been there?
– Yeah, yeah, I appreciate that. So my name’s Lane Roush, and yeah, I run all sales engineering at Arctic Wolf. I’ve been here for about seven years. I was employee around 35. So I’ve seen a lot of growth in the managed detection and response market. Really, it was identified in May of 2016, and I joined Arctic Wolf in August of 2016. My background has really primarily been on the hands on keyboard type situation, right? So I’ve been a system administrator in the infrastructure for a long time. So prior to being in sales and sales engineering, I was in storage, compute. I mean, I was playing with virtualization when it was ESX 2, took over migrated exchange boxes, ran help desks, have done storage array management. So I am a through and through infrastructure guy. My first foray into sales engineering was really around, I went to EMC and was actually selling Data Domain, Avamar, and Networker, so think backup software. After I had a stent at EMC, I went to Code42 and did enterprise endpoint backup. And really there is where I got introduced into what I would consider security from a professional perspective. And I thought it was really interesting because we came from this spot of backup and disaster recovery, as a part of anybody’s ecosystem or any company’s ecosystem that’s required. And DR even back in the day was hard to implement and hard to do, but now nobody would operate without DR or business continuity, like that’s not even really heard of anymore. And when I was at Code, we decided, hey look, there’s millions of endpoints on these systems that are taking every version of every file. What can we do from a security context? And so that’s when I really started getting into this idea of what does security, and InfoSec, and cybersecurity look like? And when I took my next jump, I really wanted to get into something that was obviously subscription. I wanted it to be something that was security focused. And ultimately for me, I wanted to go build out and run a sales engineering organization. And I was lucky enough to get the opportunity here at Arctic Wolf to really try to drive and make a difference within the cybersecurity industry. So it’s been a great run so far. And we have a lot of work left to do, but really excited about what we have to come.
– Yeah, that’s exciting. And you’ve seen a lot of growth in your time, 35th employee to now where Arctic Wolf’s got, what, 2000 employees globally. So that’s quite a lot to have happened I’d say in those years in your time, Lane. Probably the first thing I want to start with to get some context for listeners would be who is Arctic Wolf? I don’t know which one of you wants to take that question.
– Yeah, I’ll take it, and then Steve can add on if I need some help. So, Arctic Wolf is really a company that is about trying to end cyber risk within a company. And look, I think we all know if you’ve been in security or in IT or in life, you can’t ever eliminate risk. Like it’s not something you can actually ever eliminate. But the idea is that if we can strive towards a mission of trying to end risk within companies, which is really around reducing the likelihood of a security incident happening and reducing the impact when a security incident happens, we are going to make our customers more secure, right? And so Arctic Wolf’s mission has been let’s deliver the outcome of security operations to companies with a security operations cloud that isn’t just about technology, right? It’s not about here’s another product that’s a little more efficate. It’s about how we deliver the outcome, which we know you can’t automate the human out of a SOC, right? And so the idea for us has been how do we still operate in a fashion that’s affordable and effective for customers, but also deliver outcomes and not just necessarily another product. And that’s held true even since really kind of the inception of Arctic Wolf of delivering outcomes versus a net new product, if you will.
– Yeah, I would just pile on, look, we work with customers to solve an important challenge. And it’s not an easy one. It’s a complex relationship. And we approach it not just from a tool or a product, right? It’s the nature of the relationship. We have a tactical and a strategic relationship and we really want to partner with our customers. And it’s a journey, right? It’s not a point in time. It’s not a place we get to, it’s a long-term relationship, and our goal is really to be an extension of our customers and help them through a journey that takes a lot of twists and turns and is constantly evolving.
– Yeah, and I think Australians or down under as the U.S.A., we’re definitely getting more cyber conscious this year in particular. You’re probably aware there’s been a lot of massive breaches like Optus and Medibank and that kind of thing that happened, and I think the general businesses sentiment in Australia has changed drastically this year around cyber. So it was a perfect time for you to enter the Australian market, and Redd’s very excited about partnering with Arctic Wolf and helping end cyber risk down under as well. So just to elaborate further on the Arctic Wolf story, what’s the purpose of Arctic Wolf?
– Yeah, so I mean obviously, we talked about who we are, and I think for us it really is about how we drive risk down within customers. So how do we make them safe? And the purpose for us is how do you do that in a way that is affordable but effective, right? Because the challenge is the idea for a company to be able to go out and say, hey, look, I’m going to be able to build out and staff a 24/7 security operations center. I’m going to be able to review the environment tactically from looking at all of the data and filtering out the noise and getting to an outcome. But there’s also the strategic side, and I think ultimately for Arctic Wolf is how do we go into a business and a company and how do we take ’em from where they’re at today from a security posture perspective, and how do we make them more secure? I mean, it is as simple as that. The challenge though, to do that is not simple, right? All of the different technologies and the processes and procedures and workflows and the integration points. It’s a hard job. And if you’re trying to do it yourself, there’s also the whole human component. Like even if you want to do it, can you do it? And so, the point of Arctic Wolf is functionally, I liken it like this, most companies anymore don’t run their own exchange servers, their own email systems, right? So this idea of, hey, I just want to use email. Well, I’m going to probably use a cloud-based email service anymore just because I just want to use email. I don’t want to run the systems, I don’t want to manage the systems. Well, security operations really for me is no different, which is, I just wan know I’m safe, right? I just want to know that I’m protected. I want to know that I am becoming more secure. I want to know that I am fighting against the criminals out there, and I’m standing up to ’em day to day. I just want the outcome. I just want to know that that’s happening versus how do I do this all myself? And you know, I know Steve Hunter did a really good job of talking about core versus context. Like that is the idea is, I call it core versus chore, but if it’s not core to your business to run a security operations platform and invest the amount of money and time and resources it takes to actually battle and fight the criminals, then you probably shouldn’t do it. Even though you still need the outcome. You would never run your business without email or a CRM. You shouldn’t run your business without a SOC either, but that doesn’t mean you have to go do it yourself, right? And I think that ultimately that is the point of Arctic Wolf is how you deliver that outcome without you having to go and do it yourself.
– Yeah, that’s definitely true. And we see that. We manage the IT for a lot of businesses, and I think generally boards and CFOs just want the outcome. And I think it probably was the case 10 years ago or beyond that they would just go their internal IT team or their MSP to get that. But it’s evolved a lot and hence a lot of growth with Arctic Wolf. So I want to touch on, Steve, this is probably a question for you, what do you think the market share is of security operations or outsource security operations globally currently versus what it’s going to look like in three years time?
– Yeah, great question. So, building a SOC historically and now has been reserved for, I would say large organizations that have the resources, they have the budgets, they have the ability to go higher and dedicate 8, 12, 50, hundreds of employees to managing and operationalizing a SOC 24/7 around the globe or in their region. If you rewind back in time when I first started at Arctic Wolf in 2019, and Gartner still to this day has not done a Magic Quadrant for the MDR market, but they have produced a market guide, back in 2019, I think they were projecting somewhere around 25% industry adoption by 2024, 2025. Each year in their market guide 2020 and 2021, They’ve increased those projections, and I think the last market guide in 2021, they were suggesting that we would see roughly 50% market adoption for MDR services by 2025. So we’re still early. MDR has certainly taken a move in the market to offer customers that don’t have the budgets to go hire a team of even three individuals to do SOC or 24/7 monitoring across the environment, an affordable way to answer the question, are we safe, and do we have the ability to respond to an incident if and then we need to in the middle of the night?
– That’s good insights. And it’s probably good little segue, MDR, managed detection and response industry. There is a lot of players in that space and because of that, I guess market share is going to grow significantly. What’s the core difference between Arctic Wolf’s service and typical or traditional MDR vendors?
– Yeah, there’s several layers to this. Lane and I can probably offer a couple different perspectives. I think, tools, there’s a lot of approaches where the organizations can buy their own tool stack to go ahead and operationalize this internally a kind of DIY SOC, if you will. There’s a lot of vendors that have come to market with sort of a blend of tools and service. I think we’ve always approached the outcome and the solution by offering a service and a strategic partnership, which I think does differentiate how we go to market versus some of the other competitors out there. I mean, I’ll pass it over to you for a couple other points.
– Yeah, so I think, Jackson, the key here is the type of competitor, right? So the challenge is over the course of the last seven years, it’s almost been like, oh, if you have a security technology, let’s just put M in front of it and now we’re MDR, right? Whether that’s a piece of network technology, just an endpoint technology, an auth technology, right? So the idea is really about like who we’re talking about from the competitive landscape, but one of the core fundamentals that we have always had at Arctic Wolf is the concept of broad visibility, right? So, this concept of XDR has been around in our minds for a long time, right? And so this idea of, I want to be able to look at more than just one attack surface, and I want to basically be able to monitor and detect and try to respond, whether that is guided remediation, or you’d be able to do things like host-based containment or whatever. The idea is that, like for us, broad visibility has always been a core foundation, and that’s not always true of other competitors, right? A lot of competitors are now starting to move into that space of, hey, I can’t just have it be endpoint or just network or just auth or just cloud. So they’re trying to basically build out their portfolio to offer more. The other thing that I think’s been differentiating for us has been we try to be very vendor neutral as much as we can, right? Which means we do bring our own technology to bear, but we can also service customers without them being on the Arctic Wolf tech stack as it stands today, right? So like, if you’ve invested in one of the top 5, 6, 7, 8, 9, 10 firewalls or endpoint solutions, we’re going to use that as part of our service. Meaning we can still deliver a service to you without you necessarily having to rip out your existing investments, right? Which is really helpful in the marketplace. But then you switched, so I’m talking about like, those are almost like big companies with tools that are starting to build MDR type services on top of their toolsets, but there’s an entirely other category that are competition, which I would consider are more kind of the traditional MSSPs that are going to go through and maybe try to do co-managed SIEM setups, or they’re going to build an MDR service wrapped around a third party technology or tool. And I think that where this starts to differentiate is scale. So from Arctic Wolf’s perspective, if I rewind when I was seven years ago, we had a hundred customers, right? Our SOC was small. It was just enough to be 24/7, right? But what what happens is as you grow and as you scale and you are able to make investments, right? So we’ve been given a good chunk of money and invested a good chunk of money in delivering nothing but this outcome, which means we have the ability to do things like take tactical items off of our strategic CSTs and then put focus there. And if you’re able to put focus and resource on the specific functions, they’re inherently going to be better than trying to do everything at once, right? So I’ll give you an example. So our Concierge Security Team that does strategic outcomes with our customers and our partners, they aren’t responsible for deploying the system, right? We have an entire deployment team that is getting it up to speed and ready to go before we hand it off to the security team. That’s not the same when you’re talking about maybe a smaller organization that has 12 to 20 max people that are the security people, they’re managing the tools, they’re doing the deployment, right? They’re kind of doing everything. And I think the key is you can scale different functions, threat research, triage functions, you start getting a scale effect, which means you’re going to be more efficient and effective because you’re focusing in areas that frankly, if you don’t invest the money and the people, you won’t ever be as good.
– I was actually going to ask a little followup question. Like you mentioned MDR is confusing, and I’ve definitely noticed that. We’re early in the partnership with Redd entering the Australian market, and I’d say it is quite confusing for IT managers and CIOs and people who are going to market for I guess helping end their internal cyber risk because there is a lot of vendors who, like you said, just put an M or an X in front of their offering and now they are managed detection and response or XDR and it gets really, really confusing. So before I get over to you, Brad, Lane, what questions would you ask internally if you are looking to mitigate cyber risk and you’re speaking to Arctic Wolf, but potentially a couple of other vendors, how do you differentiate?
– Yeah, so internally, the first thing I would ask is like, am I looking for a tool or a service? Seriously, it’s the first thing you have to ask yourself as a business, which is, am I looking for the outcome or am I looking for access and I want to build this capability myself? It’s the first thing you have to ask because as you go down this evaluation process, that becomes a very important point. The next level for me becomes like, what does my existing toolset look like and what attack surfaces do I believe in my business are important? Now in my opinion, you have endpoint, you have auth, you have cloud, you have network, those are kind of four components. Then you have the human side, right? Those five are really essential attack surfaces. So the next question I would ask is, who am I looking at? Are they going to cover the broad attack surface, right? Are they actually doing triage and forensics 24/7 across those attack surfaces? Or is it, they can ingest some of that data, but they’re only actually triaging specific sets. Like that’s important, right? Because you want to make sure you’re getting alerted regardless of where they’re at. So attack surface. And then I would say the last one is, what is my internal security maturity? Like for me as a business, what am I looking for in the relationship with this service provider? Obviously making the assumption that you decided you wanted to service and not a tool because it is going to become very apparent that you are going to have to know like, okay, yes, I want alerts and yes, I want to know if I’m safe, but how am I going to move the needle because that stuff is going to help identify things, but how am I going to move the needle to reduce the likelihood of these things happening? So my question back would be how is the partner that you’re getting into as an MDR offering, broad coverage, neutral and vendor in my environment, and honestly like how are they delivering this strategic outcome? And in my opinion, the whole idea of detection and response across multiple attack surfaces is becoming more commoditized, right? Like it is. You shouldn’t call yourself, in my opinion, an MDR vendor if you’re just looking at one or two attack surfaces. Like you can, but I think you’re doing a little bit of a disservice to the market.
– [Jackson] I agree, yeah.
– However, if you’re doing all of them, then it becomes a strategic conversation.
– So I guess that’s kind of a good segue there into what is the difference between that Arctic Wolf service and and that of your competitors.
– Yeah, and again, I think, so again, if you have more data and more telemetry, it just means that you’re going to have eyes and more spots in the environment, right? So it doesn’t mean that, like let’s say, let’s say I can ingest Microsoft Defender data, right? And I can get it, and I have it in the system, and I can search it, and it’s there. But if it’s not operationalized through the SOC and I can alert on it, like, are we sure that that’s really the MDR function? No, it’s probably not, right? So, Brad, I think just making sure that when we talk about what we support and what we ingest, it isn’t just what’s in the technology, it’s also about what you’ve operationalized through the human workflow. That’s the tactical side or a big difference. But the other side, and you’ll probably get sick of hearing about this, but this idea of a concierge security team, a security journey, like walking a customer through and helping ’em identify areas within their environment that can help them become more secure. It is one of the reasons customers come to Arctic Wolf. And more importantly, I believe it’s one of the reasons customers stay with Arctic Wolf, right? So we have a strong technology platform that drives all of our security operations, but having that high touch strategic function within our customer base, it really helps both sides of the aisle.
– Yeah, to be constantly improving that security posture of the client’s business ultimately.
– A big part too, like our go-to market, sometimes you don’t think about your go-to market when you answer that question, what differentiates you from your competitors? But our channel go-to market has been really important for our customers, right? I think a lot of times organizations, they lean on partners like Redd to bring really valuable, critical, mission critical services to the table. And we found a great way to bring our service, our security operations platform to market via our key partners that have a lot of trusted relationships. And it does differentiate how we’re working together with partners and customers alike.
– That’s an interesting choice, but it does make a lot of sense going through channel instead of direct. So, little bit of a segue, put it back to you, Lane, when you started at Arctic Wolf seven and a bit years ago, what did the cybersecurity industry look like compared to now?
– That’s a great question. So I’ll try not to be super long.
– We’ll see.
– Good luck. So the key here is that what I found was security really evolved in this idea of like becoming a function of IT, right? So what I mean by that is, if I was a director of IT, a VP or a CIO, for a long time, my entire job was to make sure that users, customers of theirs, business applications were up and running, right? I was delivering technology for them to use. I was delivering uptime to make sure web servers were running, all of that stuff. And what happened is people in IT got really good at it, right? We were like efficient and effective and things were up and running, and we were making people more efficient. And then all of a sudden security became a really hot topic in the market, right? Whether that was because we saw the first ransomware set up where it was like, oh my gosh, this can actually take off entire businesses offline. And what happened very quickly was, oh wow, just like previously I didn’t have a disaster recovery plan. Now it’s like, wait, I don’t have a security plan. And the challenge was companies and businesses were like, okay, well, the things that we’re trying to secure IT runs, so, okay, you’re also going to be the security people, right? Well the challenge is unless you’ve been a practitioner in security, implementing a SOC or security processes is a lot different than than IT, right? So I always liken it to like NOC time and SOC time, right? Knock time is web service died, better get that thing restarted or you’re losing money. Where on the SOC side you’re like, ooh, there’s an active directory alert. You’re not just going to shut down active directory without doing the work to confirm that there’s a real problem or not, right? And so they’re really two different mindsets and two different functions. And so what I saw back then, Jackson, was really a struggle for this person in IT going, like, I’m now in charge of security, but I don’t know what to do. Fast forward to where we’re at today. And I think that there’s a lot more maturity in this market around what security options there are. Example, when I first started, this idea of MDR being an option for a company that was over 500 employees, like it wasn’t an option, right? ‘Cause they were going to go buy a SIEM and do it themselves ’cause that’s what IT people do. They buy technology, they implement it, they set it up, and then they let it run without the knowledge that it takes a lot more than that when you’re talking about a SOC. Fast forward, now you’re seeing MDR security operations as an augmentation or an outsource of your capabilities as a viable option for some of the largest of the large companies, right? And so the evolution of maturity and what capabilities you can bring into bear, it’s markedly different than it was seven years ago.
– That’s some good insights. And I do agree that even technology, so we focus on more the technology side of businesses at Redd, and I’d say that internal teams are quite struggling these days because say they’ve got two or three engineers. IT engineers these days are mostly generalists. And before, 5 years ago, 10 years ago, we were all generalists. But now that you need specialist networking, specialist cloud, specialist security, it’s quite hard to build a end-to-end internal IT team because there is so many different services. So it makes sense that you’ve got partners like Arctic Wolf where you can outsource certain functions too. Mate, I’ve done a lot of talking, Brad, do you want to ask the next question?
– Yeah, so I guess it’s carrying on from the past, and now moving into the future. So, what do you guys see the future of the industry look like?
– Yeah, that’s an interesting one. As the industry’s matured, and adoption has increased, cyber insurance has been a bit of a driver here in the States, and I think a lot of the carriers are global in nature. I think what they’ve learned in the States will likely be applied internationally, including Australia over time. And if you look back to 2021, your carriers paid out close to 80% of premiums I believe in 2021. And it was a a period of time in which it was really easy to get a cyber insurance policy. There wasn’t a lot of diligence that went into scrutinizing what controls were or were not in place. And as a result, as ransomware attacks rose, carriers naturally paid out a higher percent of premiums, and that’s not a sustainable business model. And 2021 into 2022, we saw carriers take a significantly different approach to requiring a significant level of controls be in place before they would underwrite a policy. And that really shook up the market here in the States over the last year, year and a half. And I think we’re still seeing that mature, and we actually saw a reduction in total number of attacks in 2022 so far, not necessarily the case in Australia, right? They saw it rise, probably the largest rise across the globe. But I do think some of what we learned in the States around cyber insurance controls that needed to be in place will make its way more broadly across the globe. It’s certainly things like multifactor authentication, it’s user awareness training, it’s network monitoring, it’s 24/7 detection response, it’s endpoint capabilities, it’s firewalls, it’s a lot of the basics that you’d expect a lot of organizations to have in place, and it’s sort of lending credibility to the need to take security seriously.
– Have you seen that across any of the other regions that you’re operating in? So, kind of starting in the States, are you starting to see that more in the other regions that you’re operating in, Europe, EMEA, et cetera?
– We’re starting to see it make its way into the Canadian market. It’s coming up in conversation here and there in Australia. So we acquired Tetra in February of this past year. Tetra really brought an end-to-end digital forensics incident response capability to Arctic Wolf, and it really rounded out our offering, and we’ve learned a lot as a result of having Tetra become part of Arctic Wolf, and we learn a lot from the front lines, what’s happening, types of attacks, and techniques. But Tetra’s business is heavily reliant on carrier-sourced IR cases, and those carriers, again, they’re global in nature, and I think these businesses are going to apply the same controls that they put in place in the U.S. globally over time.
– Steve, so you said over in the U.S. it’s shaking up the market and ask a lot more questions before you can get cyber insurance. What are you seeing? We are seeing some businesses in Australia opting, particularly large ones actually, opting to self-insure, and actually not even get cyber insurance ’cause the price has gone up so much. Are you seeing that over in the States as well?
– Yeah, it’s different. I think industry and vertical by vertical size of company, there’s some industries in which it’s not an option. In order for you to earn a contract or do business with a supplier, you’re required to have a certain level of cyber insurance. So in that case you have to sort of go out in the market and in some cases companies are having to go to multiple cyber insurers or carriers to get a policy underwritten. You can’t just go to one one carrier and get full coverage. You have to go work with two or three carriers to get full coverage. Rates have gone up as a result. But in some cases, certain industry verticals, K through 12s, their rates have gone up, and they’ve opted to, in some cases, self-insure or take on the risk of not having a policy and choose to source those dollars in something that is potentially preventative in nature to make sure that they don’t get attacked in the first place.
– Yeah, we’ve definitely seen that. And I mean in case you weren’t aware one of the largest breaches this year in Australia was Medibank Private, and they actually didn’t have cyber insurance at all. It was 2.9 million personal information that got breached. And that with the Optus breach, I think of the 26 million population in Australia, 13 million of personal identities got breached this year.
– I was in both of them.
– Well done, Brad. So pivoting a little bit. Lane, this one might be for you, you’re responsible for the cybersecurity strategy of a lot of businesses across the globe and you probably get, I guess, this question a lot of the time. What are your thoughts on pen testing or organizations getting pen testing done?
– Yeah, it’s a good question. So just like any other tool, I look at pen testing as a tool, right? So when we talk to customers, whether it’s existing customers or prospective customers, the idea of pen testing is really about in my opinion, how you make your defense better, right? So it’s less about, just like managed awareness, like security awareness, it isn’t about can you trick the user into clicking links, right? It’s about how you train the user to think, and basically build a culture of awareness. Pen testing for me is no different, which is if you choose to deploy and get a pen test done and you copay the 15 to $30,000 that it’s going to take in your environment, and you don’t have some of the basic controls in place, the first thing they’re going to tell you is to put the basic controls in place. So you haven’t really like solved anything. You haven’t really addressed anything except for proving what we already know, right? It’s like you’re proving a known known, which doesn’t make a lot of sense. So pen testing in my opinion should be done after you feel like you’ve implemented a pretty strong security program, and then you should do it in conjunction with that security program, so you all can become more defensive, more safe, right? And I think that’s where it comes. The other thing I’ll say on this topic is the definition of what a pen test is varies greatly, right? So I’ve seen people do an external vulnerability scan and then report back without doing anything and saying that was a pen test, right? All the way to giving a pen tester, a red teamer, an account inside of an environment with access, and just saying, how far can you move laterally? Like there’s a large range of like what a pen test is doing. And I think that knowing the scope of that also matters because what are you trying to test for? What I’ve seen a lot, Jackson, is people trying to implement a pen test to get a budget. And in my opinion, you should and can build a proposal that should allow you to get the security spend you need in a risk-based conversation versus here’s a proof of somebody was able to breach me, right? For me, it’s kind of throw away money if you haven’t done some of the core things upfront. My opinion.
– That’s fantastic advice actually. And yeah, I do agree with a lot of those points, and I think in Australia if someone quotes you a a pen test for less than 10 grand, you got to really start asking some questions about what are they actually looking at. There’s probably a different scale from what I’ve seen in the industry when people go out for quotes of pen testing. It can be like you said, a basic, run a vulnerability management tool, and send back a report and there’s your pen test, or it can be a lot more in depth where they’re actually trying to breach applications and do the physical walk into their office and drop in a USB kind of thing. So there’s a big scale on that, but your advice around making sure you’ve got the fundamentals in place first and then getting pen testing. And don’t do that as an exercise to get more budget or to start getting the organization, I guess, more cyber aware. That’s really good advice. After you have lifted up to that baseline and you’ve done a pen test, how often would you recommend businesses get pen testing done?
– Yeah, again, I think I would follow probably your industry, and if you have compliance requirements, but I think an annual pen test is a pretty standard approach because look at the end of it, what you’re really trying to do again is just say, hey, over the year I did all of these things to try to be more secure and bolster my defenses. How do I then bring somebody in and try to test those defenses, right? Like that’s what you’re doing. And so ultimately you’re really just trying to find more cracks that you can fill coming into the next year. So I think an annual pen test is not a terrible idea, but again, here’s the other side, you have to be able to act on that. So if you can’t implement the changes or the roadmap or the things that they find within a year and you haven’t changed anything, why would you have another pen test to just tell you the same things that you had last year? So it really comes down to like your capability of being able to implement the change that they’re testing.
– Yeah, and scope and value, right? I mean, I think we’ve seen, we run into situations where an organization has spent more money on a pen test than they would’ve spent for our entire service for a year. It leaves you asking what would’ve been a better investment and would’ve made my organization more secure?
– Where’s the value, yeah. That’s a little bit like cyber insurance as well, right? Like if you spent a lot of money on cyber insurance, but don’t have any security operations, and you get breached, like it’s all well and good to have that monetary covered for downtime and covering the IR and maybe in the forensics, but the reputation hit’s already there, and you might have directors with passports out on the dark web, that kind of stuff. Cyber insurance isn’t really going to help with that reputation hit. Now, Steve, this probably next question for you. so Arctic Wolf expanding to Australia, you’ve grown like fairly quickly and Redd being your first flagship partner, which we are really excited about the offering, what are your plans for Australia and New Zealand?
– Yeah, great question. Well, number one, we’re excited to officially be in Australia, and to have our first partner signed up and actively going to market. We have a sales leadership team, David and Steve and in Sydney. We’ve got our first team boots on the ground, Alex and Rohls in Sydney as well. And we’ll continue to scale out the sales go-to market, we’ll probably bring on five, six teams over the course of the next six, nine months and ramp up sales capacity. At the same time we want to make sure that in going to market in Australia, we’re making the necessary investments to demonstrate we’re going to be there long term, right? And so we’ve hired a concierge security director, we’ve hired a customer success director. We’re hiring the necessary sort of post-sale customer support teams to demonstrate our commitment to servicing the Australian market. And we’ve got longer term plans to build out our SOC and data center capabilities, and I think it’s short range, three, six months. But we’re really excited to think about our fit in the Australian market and being able to work with partners like Redd to make that a reality.
– That’s exciting and we are looking forward to joining you on that journey to end to cyber risk down under. What about Arctic Wolf as a global organization? You’ve got a lot of growth, a lot of change. Like Lane, since you’ve been there seven years, a ridiculous amount of growth. What’s Arctic Wolf’s plan for the future next?
– Yeah, I mean I think for us, there’s still a lot of things to do in the current strategy we have, right? So I think for us a lot of it is going to be a lot more of the same but better, right? And by the way, I think that’s one thing that we have done, what I would consider, fairly well as a business, which is we haven’t tried to be everything for everyone, right? We have tried to be very core and focus on what we do. So, Jackson, specifically, I mean we’re obviously going to always look at are there technologies, are there services, are there better things within our portfolio that lead towards reducing risk or a security operations function? We’ll always look at that and see what makes sense. We will continue to invest geographically and globally in our go-to market. But I personally think we’re going to have a little bit more of the same as we continue to go, right? Because there’s still a lot of companies, as Steve talked about adoption, there’s still a lot of companies that are still getting into the spot of what do I do here, right? And I think if you can do it better and better, that’s better for everybody. But let’s solve and let’s address the actual problem that we’ve been trying to address and then have been for 11 years, right? That’s my opinion.
– Yeah, and I think it’s a good one too. And look, I mean, we’ve been able to grow and scale by entering new markets internationally. I think we’ll continue to see that. We’ve also continued to scale our security operations platform, right? We’ve added new capabilities over time. We started off as an MDR kind of pure play company. We added managed risk. We’ve since added managed awareness training. We’ve added IR capabilities to the platform, and I think we’ll have both organic and inorganic inquisitive growth over the coming years that’ll bring new capabilities and features to our existing customer base.
– That’s exciting. And I think your time to enter the Australian market couldn’t have been any better. Let’s be honest. Conscious of time, Brad, any question you had you wanted to add?
– No, not really. Look, it’s been exciting as you just mentioned, it was good timing. I think we’ve been talking for about, oh, just over six months, and it’s been really well received kind of on that basis. We’ve had conversations with lots of customers and maybe having that conversation a year ago, it wouldn’t have been that important, but it’s being very well received at the moment. So we’re looking forward to bringing these solutions to our customers ’cause I sleep better at night knowing that they have these things in place as well.
– Yeah, definitely. And like Redd’s rolling out internally, and we honestly want all of our current customers, we look after their IT to take up the offering as well ’cause it is that kind of peace of mind for us because we know that businesses are at risk at all times, even with every toolset out there and people looking at best MSP or the best internal IT team. But if you can mitigate that definitely helps us sleep better at night. So, mate, Steve and Lane, thanks for joining. I really appreciate the insights that you’ve shared with us today. Anything else you wanted to add before we close out?
– No, you’re doing good work. We appreciate the partnership and look forward to continuing success. Thank you for having us today.
– Yep, thank you very much. It was awesome.
– Awesome, guys. Thanks Dave, thanks, Lane. Cheers.