.jpg)
CTO Insights
Welcome to the new CTO Insights podcast, brought to you by Gardner Systems CTO, Paul Stringfellow. We aim to bring you concise summaries, expert opinions, and thought-provoking interviews covering emerging technologies, industry trends, and best practices. And to provide you with a go-to source for the latest updates in enterprise IT.
CTO Insights
Arctic Wolf's Nick Dyer | Ep 7
Welcome to this edition of CTO Insights, where we explore how cyber insurance is revolutionising cybersecurity decisions within organisations. In this episode, we sit down with Nick Dyer, Engineering Director at Arctic Wolf, who shares the innovative journey of Arctic Wolf's cloud-connected security operations. Nick discusses how a risk-focused approach, driven by limited resources and the rise of ransomware, has reshaped Arctic Wolf's strategies, enabling them to support mid-market businesses and the public sector in overcoming significant cybersecurity challenges.
We delve into the critical importance of visibility in today's IT landscape, as the transition from traditional antivirus tools to advanced EDR and XDR systems becomes essential. Nick highlights how cyber insurance mandates are bridging the gap between IT and business, ensuring that IT security measures align with business objectives to mitigate risks and ensure compliance. Visibility is key for CISOs, CIOs, and CTOs managing complex infrastructures and adopting cloud-native solutions.
Finally, we tackle the complexities of managing cybersecurity risk and the ongoing challenges faced by IT directors and CISOs. Nick offers insights into the continuous investment required in cybersecurity and how cyber insurance is playing a transformative role in promoting better security practices. We also explore various cybersecurity frameworks, the impact of public cloud adoption, zero trust networking, and the importance of data security and privacy amidst AI advancements. Tune in to discover why effective security strategies rely heavily on people and processes, not just technology.
Hi, I'm Paul Stringfellow. Welcome to another episode of CTO Insights. So on this week's show, we're going to be talking about and wait for this the exciting world of cyber insurance. It's all right, don't turn off. We're going to be looking at how cyber insurance is influencing the way that we make cybersecurity decisions in our businesses and in our organizations and what we need to think about as C-suite executives, as leaders in IT, about the way we deliver security across businesses and some of the change in influences that are dictating some of that strategy. So, to help me to do that, I'm joined by well, an old friend really Nick Dyer. Hi, nick, how are you doing?
Speaker 2:I'm really good. Thank you for having me today.
Speaker 1:Hey, real pleasure. And we might get into your story of running across London to get up to Liverpool on time this morning. But we'll see how time goes before we jump into that. So well, before we start, let's get a little bit of background on you. So you're Engineering Director at Arctic Wolf. So well, firstly, tell us a little bit about your background, what that role entails, and something we were talking about just before we started recording that actually we weren't going to include in, but it was such a good story. We will tell us a little bit about the background to Arctic Wolf as well.
Speaker 2:Yeah, so I uh I run the technical, uh, pre-sales and post-sales element here at Arctic Wolf in the UK and Ireland. Um, I've been, uh, 18 years in IT, give or take um much like you. I've kind of grown up through the whole infrastructure, virtualization, storage element of the world and ultimately the development of that into cloud and SaaS-based applications, and I really relish getting involved in newer organizations that are quite disruptive to market. So I've done network-based startups, I've done storage startups and this would be my fourth one, which is infrastructure and cloud security, which is Arctic Wolf.
Speaker 1:So well. You made a really interesting phrase in that actually working in companies that are disrupting the industry. And I mentioned kind of in the intro we were talking before we started recording of the way Arctic Wolf came into the cybersecurity space. So you know people will be increasingly familiar with who Arctic Wolf are, but that background story was really interesting. You know. It's actually a good example of people having an idea that seems to be way ahead of its time and then that kind of idea and opportunity colliding. So give us a little bit of background to Arctic Wolf, how they came to be.
Speaker 2:Yeah, absolutely so. Arctic Wolf is probably a name that people have heard of through one way or another. We sponsor Red Bull Racing, and they're a customer of ours. We sponsor Wolverhampton Wanderers, and they're a customer of ours, so you've probably seen the logo here and there. However, yes, it started off around about 12 years ago, so 2012.
Speaker 2:The founders of the company were some of the leaders and engineering leaders at a company called Blue Coat Networks, who many people probably remember for network-based security, and when they ultimately were acquired by Symantec I believe it was they sat around a kitchen table once they exited and they designed what's our next play going to be?
Speaker 2:And they came up with this concept of doing a concept of security operations as a service because they realized that things like SIEM and endpoint security and firewalls and AV, as it was in 2012, probably isn't going to be enough as we migrate, move forward to cloud.
Speaker 2:So they wanted to do a cloud-connected security as a service that was going to be really aimed at the mid market, so not really going after the large, large enterprise of the world. You know, the people that need help are ultimately going to be the people that struggle to hire good security people, which is the mid market and the public sector um and uh and ultimately to give them guidance and expertise, which, through which, evolved to then be the Confeo service. But they sat down on a piece of paper and they built this cloud-based architecture and technology in 2012, before things like WannaCry hit, before the advent of ransomware it was really kind of malware-based attacks back in the day and, you know, through you know fortuitous luck of things like ransomware being developed and WannaCry hitting the company really accelerated and then, through the pandemic in 2020, became the point where organizations realized that you know, endpoint and firewall-based security isn't enough and we need some serious help here because we can't build everything ourselves. And that's really what accelerated ArcDevils growth globally.
Speaker 1:Yeah, and I think it's a really interesting parallel, I suppose, with the way as bizarre as it might seem with our topic for today, but I think it's an interesting parallel in one having some level of insight that can help you to develop a strategy long-term, so actually being able to see problems a little bit ahead of time and be able to plan for them. Because I think, as we're seeing, the conversation in cybersecurity is changing quite a lot. There's a much more risk-focused conversation now. It's not so much a conversation around having tools and being able to be able to stop a threat or be able to almost identify and respond. It's actually a lot more about understanding where the risks are, because we've got finite finite resources in terms of people, finite resources in terms of in terms of budget, and it's important to look at where the risks to our organization is and how we go deal with them, which you know, I think is quite a nice segue into the kind of the conversation we scared everybody off with at the beginning, talking about the idea of cyber insurance.
Speaker 1:But obviously we wanted to kind of cover this. This was something we've talked about before. We wanted to kind of cover this at how cyber insurance is influencing the way that organizations change and I'm sure some of our listeners and watchers here because I certainly know I've seen it in companies that I talk to in a lot of their cybersecurity strategy is now starting to be dictated by the demands of not just compliance regulation but actually what insurers and auditors are asking for them. So is that something you're seeing, and what kind of things are you seeing that are starting to drive some fundamental change in the way that we look at cybersecurity?
Speaker 2:You're absolutely right. Cyber insurance has been one of the many things that have allowed CISOs, ctos, cios, to help communicate what the business risk of cybersecurity has been to the wider organization, because, ultimately, that's what cybersecurity is. It's part of your acceptable or your kind of risk ledger that you operate inside of your organization, your kind of risk ledger that you operate inside of your organization, and every organization needs to have that kind of risk register or risk ledger to understand what do we accept, what do we want to fix, what do we want to prioritize. And I think the cyber insurance piece is really important because, again, it helps us communicate that to non-IT literate people within the organization, but also it's a way of helping with things like budgets and the pressures that we're seeing around reducing and optimizing spend. So, if we come back around to around about 2020 when the pandemic hit, if we come back around to around about 2020 when the pandemic hit, historically organizations were investing in endpoint tools, antivirus, we were investing into firewall tools, maybe some tools for cloud. At the same time, most hadn't moved to public cloud yet.
Speaker 2:I think it was probably fair to say it was on the radar of many organizations and the pandemic changed an awful lot because we had people working remotely. We had to punch holes in firewalls left, right and center People took home desktop machines. I mean, it's crazy to think back about what we did to keep the business going, but that also accelerated public cloud adoption. People were spinning up VMs because I didn't have servers on-prem and I had no resource left. I couldn't get to a data center to reset things. And so when it came to investing in new security products or tools, most business owners said, well, I'm not going to do that because I can buy cyber insurance and my cyber insurance is going to give me a great coverage model for not a lot for a premium. So why, as a risk perspective, why wouldn't I just go and do that instead of having to buy a load of proactive security measurements? And that's what everyone did and the cyber industry. The insurance industry then had to pick up the penalties and the payouts because of the premiums and the claims that organizations had to file because they ended up being a victim.
Speaker 2:And so if we accelerate from 2020, 2021 to 23, 24, where we are now, the cyber industry has done much like what the car insurance industry and the home insurance industry has done, which is much more of a verification. You need to now show me and give me proof of all of your security controls. It's become very much more like an audit. You have to show the advancements that you've made. You've got to show that you have a plan around incident response that you've made. You've got to show that you have a plan around incident response.
Speaker 2:Multi-factor authentication, logging and monitoring, forensics, 24-7 monitoring All these things are now table stakes that you have to have to achieve. Your cyber insurance and the people that spend the money on the cyber insurance is not IT. It's not an IT problem. It's not a CIO or a CTO problem. It's the finance and the business owners problem, and so what we're now doing is bringing together the two worlds, because cyber insurance is now bridging the gap between what do my technical controls look like, what are my business controls and security controls look like, and how do I directly relate that to the premium, the policy that we need to achieve within the organisation.
Speaker 1:Yeah, it's fascinating, isn't it really, that you know who'd expect the following phrase to come out of anyone's mouth, but insurance has actually been a bit of a force for good with some of this stuff. It was interesting what you're saying because, yeah, I remember kind of having conversations two or three years ago around cyber insurers. You know, one of the risks was being because of the amount of premiums they were paying out because of ransomware attacks, particularly actually because of ransomware attacks that one of two things was likely to happen. One was companies wouldn't be able to get cyber insurance because actually the cyber insurers were just going to make it too difficult, or they could get it but the premiums would be so high that for many organizations they just couldn't. You know, and I think that's an interesting you know, but the shift has been and I think you see this, don't you in all kinds of industries, that often insurers, regulators, et cetera, play and catch up all the time, because actually the industry itself and cybersecurity is a great example of this, of course is changing so quickly that actually you know the way that a regulator or an insurer is going to keep up is they just can't. But it feels like you know, and I think we're seeing this influence more and more that it feels like kind of cyber insurers have caught up to what the risks look like but, importantly, you know as much for their own benefits as anybody else's, but are enforcing these kinds of good disciplines, good practice.
Speaker 1:And actually, while he was describing it, it kind of made me think of something else, and I was listening to you know, and for listeners they'll be surprised about this another podcast, apparently they do exist, but I was listening to another podcast and they were talking about what the modern CISO, modern CIO or CTO needs to think about.
Speaker 1:And actually one of the things they talked about I know this is something we've spoken about before is kind of the importance of visibility around some of this stuff. So just having insurance is one thing, but, as you were kind of alluding to there, you've got to be able to prove that you're doing some of these things. So is that something that you're starting to see? Because you talked about this kind of plethora of tools trying to solve the problem, just responding to stuff. You know how important is now in a kind of an IT leader's portfolio, how important is it to be able to just kind of see where they stand and be able to articulate that problem to a business. So I know that was a really long question, but the basics of it was visibility how important.
Speaker 2:Yeah, there's a lot to unpack there.
Speaker 1:Yeah, I realised as I got to the end there was quite a lot there.
Speaker 2:And there are many ways that that conversation can go. Because, if I come back to my earlier comment, historically we bought tools to protect our networks and tools to protect our users on laptops antivirus, and you've seen the market move drastically from antivirus to EDR to XDR. You've seen network-based security migrate to SD-WAN and SASE and CASB and all the acronyms and all the buzzwords. Sadly, this industry is absolutely rife with four or three letter acronyms four or three letter acronyms. But the downside to all of this becomes how do I gain a holistic visibility across all of the attack surface that I'm now maintaining, whether we like it or not? Having a three-tiered infrastructure or a virtualized infrastructure in two data centers, doing a replication was quite easy to manage and actually monitoring of that was okay because they didn't leave my premises and I only had to worry about the road warriors.
Speaker 2:Now we've got remote workers, you know, doing things on laptops. We've got, you know, third party access, maybe we've got SD-WAN encrypted networking. We've got cloud-based security. We've got containerization. We've got cloud native organizations. We've got youbased security, we've got containerization. We've got cloud-native organizations. We've got AWS, azure, gcp, oracle, cloud, ibm and the sprawl that we see there is that attacks can start in one area and they can reside somewhere else.
Speaker 2:And if you don't have that holistic visibility across everything, well that's the downfall. And in security, the practitioners we long look at things like MITRE ATT&CK as an end-to-end kill chain of a thing. And if you look at the MITRE ATT&CK framework for an attack that doesn't start and end on an endpoint, buying EDR or XDR on an endpoint will not save your organization, because most organizations are being breached now through business email compromise, through human manipulation on a phone. I mean, I heard the other day of an old customer of mine from years ago where they were being compromised in their teams. They were federated with a third party bad actor in their team's environment who were trying to manipulate people and it might be an identity-based attack, it might be a cloud-native-based attack.
Speaker 2:And if we don't have that visibility across all the plethora of tools and vendors that we use, that is where the challenge lies. And actually the goodness of cyber insurance is what dictates we need to use these tools. So MFA we see it all the time where MFA is seen as a burden, especially to the board. Well, actually now it's mandatory because cyber insurance we can't get it unless everyone does it and we prove it, or it might be. We need to do 12 months worth of logging and forensics and if we don't do it, we will be failing our audit or we will be failing a supply chain audit. And the element of all of this is the more that we distribute and the more that we scale, the more the importance of visibility is crucial to holistic security operations.
Speaker 1:Well, I think I might turn to unpack now. So we're doing a lot of unpacking. Well, I think Keir Starmer's doing less unpacking than we are at the moment. So I think there's a couple of really interesting points in all of that. I think one of those things around the way cyber insurance you talked about this right at the beginning actually the way cyber insurance has brought together the idea of the business and IT having to work together. Because actually, like you said, cyber insurance, like any business insurance, that's not an IT decision, that's a business decision. So somebody somewhere in head of risk or head of insurance or whatever their title might be, is making that decision on behalf of the business, might be is making that decision on behalf of the business. But to get that, then the business you know, from both sides, actually from an IT point of view, they need to understand the importance of kind of the business impact of some of those decisions they're making. And, from a business point of view, don't just shout at IT when something goes wrong or ignore IT when something's going right. Understand that there's this kind of big piece in the middle of making sure that we are doing the right things that protect the business. This is not about protecting IT. This is about, if we've got cyber insurance, we're doing that to protect the business in the event of an incident, there's some kind of comeback for us to help fund our recovery efforts or whatever it might be getting incident response involved.
Speaker 1:So I think that's an interesting area and I think one of those other bits that it's driving is this increased visibility, and it's not just the increased visibility of from a security standpoint. You know, are you seeing a desire to be able to more accurately report this kind of? You know, for a CISO listening to this or a CTO listening to this conversation, you know, think about, well, what kind of visibility do I need to give? You know, are you seeing any drivers, either from insurers or just in general, that actually we need to make sure that we're giving the business visibility? So we're not just talking about, oh, you know this problem and here's 15 levels and here's where it is in the MITRE kind of MITRE kill chain, but actually from a business point of view, we've done this and this has meant X, y and Z to the business. Are you seeing drivers towards that as well?
Speaker 2:I would say that if you're not seeing that now from the board or from your business owners and the C-suite that you work with, you're going to see that very quickly because as budgets have become harder to come by, as approval levels have spiraled, the quality and the visibility of the data that we provide but actually the business justification of doing such is crucial in order to maintain the growth of the business and to maintain healthy protection within the organization. If you think about, you know, an organization, an organization, even a mid-sized organization, will have somewhere in the region of 15 to 25 security products and tools. If I can't pinpoint the business value of each one of those tools, how it protects us, what it would do, what we would do without it and what would be the business impact without it, it then becomes potentially a name on the chopping block for next year's budget round, because everyone's tightening belts and we have been for the last couple of years, and vendor rationalization is top of the list. Do we have to have 25 vendors? Can we move down to 15?
Speaker 2:How do we consolidate? How can we, you know, get better buying power or spending power, and so having the ability to report and translate from an IT language into a business language is probably the most crucial thing that we have to do now in a CISO, a CIO or an IT director, and all of my conversations with an IT director are typically how can I help articulate what projects you want to do into what the outcome is for the business? Because at the end of the day, if the business is looking to spend X money, that money is typically either going to come out of someone's pocket and that money will not be spent on, maybe something else that will make more widgets or maybe, you know, be able to serve more clients in some way. So we have to tie that to what an improvement in the business is going to be and, you know, a cheap plug for what we do, but one of the things that we see an awful lot.
Speaker 1:Make an expensive plug, don't make a cheap plug.
Speaker 2:Yeah absolutely, but often we're able to tie somewhere in the region of a 25 to 30% reduction in cyber insurance premiums just by buying what Arc de Wolf do. So if we can offset what the price point of buying a service like ArcDeWolf is, if we can offset that against the residual risk expenditure on cyber insurance, and if that can be a net positive or a net neutral, then that is a justified business benefit that the customer can see. So it's all about not buying things for things sake. It's about how can I translate that and have a better outcome for the organization.
Speaker 1:Yeah, and I think it's really an interesting point. I'll come back to that claim around kind of so claim like I think you're lying, but I want to dig into kind of that ability to reduce an insurance premium, manage security costs better, because I think this is a really important part of cybersecurity. But I just wanted to go back to something else you was talking about. You know, and I think it's important for anybody kind of in a C-level position, listening to us chat here or watching the YouTube video or aspiring to go into that kind of role, I think it's important to understand. It doesn't really matter. I mean, it's interesting the amount of CISOs today who don't come from a technical background are actually coming from a different business discipline. But there are still, you know, equally an amount of people who've come from a technical background and found themselves, you know, through their abilities and their skills and drive in these kind of more senior positions. But I think it's a really important point you make around in those positions. It's not about, it's not about hands-on with the technology. I think understanding the technology is great and it's really important because you need to understand how the technology is going to solve a business problem. But I think you know the ideal is you need to understand these are business problems. So you know you are that interface between what technology is doing at one end and the board and the business drivers.
Speaker 1:You know, and that doesn't you know, not all people listening to this will work in companies necessarily that are big enough to require a c-suite or employing a cto or a cso, but I think that remains true. You know, if you're heading up it, the importance of being able to articulate back to the business some of the things you were talking about. What's the business benefit of that investment? Importantly, if we don't make that investment, what's the risk? You know, going back to that kind of conversation about risk, I think it's really important and I said I wanted to go back to this kind of idea of reducing costs because I think one of the other things that's a real challenge for businesses you know you're talking about kind of that reduction in budgets because companies are tightening belts, because you know the economies around the world, you know economies are not necessarily in great shape, so that's impacting.
Speaker 1:You know business budgets, business spend, and if you can't, if you're not giving true business value, however, you're giving that value and you can't prove that value, then that's going to be something on the chopping block. But you were talking about kind of reducing costs. So how are you seeing some of the changes that cyber insurers have influenced, going right back to kind of where we started? But how are you seeing that alongside you know, alongside tools like Arctic Wolf and what companies like yours can do, how are you seeing that manifest itself in reducing either insurance premiums or actually reducing costs overall? Again, lots to unpack.
Speaker 2:Yeah, there's a lot there.
Speaker 1:Yeah, I like to give you lots to weigh in with.
Speaker 2:Yeah, absolutely. But this is the thing with security. Security is a never-ending project.
Speaker 1:It's not like a virtualization, you know, three-tier replacement where we go you mean it's never going to be done and we can just say it's done Exactly yeah, and I think that comes into that spend piece, which is well.
Speaker 2:Firstly, you're absolutely right. Every IT director has to now communicate to the board. You know what the business value is going to be. It's not about tickets and responsiveness, and you know my people did this amount on the help desk. No, it's about what the value of this is going to be. It's about what the value of this is going to be.
Speaker 2:But I also think, thankfully, the cyber insurance industry has been one of those accelerating dynamics that have helped people realize that what they're doing is not enough and there needs to be more investment, and that's helped build out the security projects and the frameworks that CISOs and IT directors want to do, because I think for a long period of time, it directors have been sat there waving a flag going. I know this is not good enough, but I can't find a way to translate this to something that's going to be signed off, going to be signed off. So, coming back to your point about spend, yes, budgets are tight and budgets have been tight for some time. The cyber insurance industry have been driving this concept of good, better, best. So if you had nothing from a security tooling, let's say you had some antiquated antivirus, you had some old firewalls. You didn't have anything else. You know, as a policy, they would have this good, better, best framework and as a good, they would say, right. These are the first things that you need to implement to get yourself off the ground. Things like multi-factor authentication, security awareness, training, an incident response plan because everyone needs a plan, and that's going to get you a certain level of premium. You still have a lot of risk, so therefore your coverage is going to be less.
Speaker 2:And if you want to then achieve better or best, that's when you need 24-7 monitoring, it's when you need forensics and logging. It's when you need forensics and logging. It's when you need vulnerability management. It's when you need awareness across the organization proactively all these other things that we have to do. And that then drives in that conversation of spend and efficiency, because on the other side of the coin, it's like I said before if I spend half a million quid on security, that's half a million pounds. I cannot spend on something else that's crucial to my business, that someone else has built a business plan for. So where do I spend the money and what's going to give me the right sign off? And it all comes down to what the acceptable risk is in the business.
Speaker 2:So CISOs and IT directors have been looking at things like the NIST framework, the NIST cybersecurity framework. We've got Cyber Essentials and Cyber Essentials Plus. Here in the UK there's CIS version 8. There's many of these frameworks around the world. We've got NIST 2 in Europe and we've got DORA coming in for the financial markets as well and those are frameworks and audits that organizations will have to kind of not self-certify but have to externally certify against and they will have metrics and things that they have to achieve. So all of these incoming audits and frameworks and compliance needs will also drive those discussions around value, around budget, around sign-off, because if I can't do that, I can't sell in Europe, or if I can't do that I can't open up a new kind of subsidiary somewhere else. I lost my train of thought there.
Speaker 1:That's okay. So you raised some interesting questions and Nick thinks we're going to edit that, that pause out, but we're going to keep it in, just to prove it.
Speaker 2:Oh really, yeah, just to prove it's real. Oh right, that's how we roll here, is it?
Speaker 1:Yeah, absolutely how we roll, you know, and I think it's because I give you a lot to unpack.
Speaker 1:How we roll here, isn't it? Yeah, absolutely how we roll, you know, and I think it's because I give you a lot to unpack, so it's easily done. But there's some stuff that you said in there that I think is really interesting as well, in that I think you know it's interesting, isn't it, how we started talking about cyber insurers and then you kind of led on to frameworks, you know, and I think it's an interesting sign of two things maybe. One is the increasing maturity that we we have to employ when we talk about how we look after data and how we manage risk. I think you know, I think it's always important that you know. If you're in an it leadership role looking at cyber security, you should understand that primarily, you're concerned with risk, because the reality is we can't necessarily spend well, we definitely can't buy all of the IT tools that we need to be able to buy or that we want to be able to buy to deal with stuff, you know. So we've got to look at risk and we've got to understand how to articulate that risk accurately. I think that's a really important point and I think you know, if you're in that kind of role, they're the kind of things that you need to be thinking about and I think it's interesting to say that kind of sign of one how immature maybe this market has been, but how the increasing maturity, you know, and I think you can look at frameworks and government regulation and you know, et cetera, and you can see that as interference.
Speaker 1:But I mean my view with all of this and you know, and that's, you start with GDPR and kind of keep going. You know, I think that we were, as IT professionals, a lot of the time I think we were way too lax around how we looked after data. You know, and I think for companies who held not naming any names, but for companies who held lots and lots of personal information, were very, very lax with basically mining your information. You know that's what they were playing with. It wasn't theirs, it was stuff about us and people were very like. So I think all of those have been great improvements and I think it's also helping to drive this kind of improved maturity about how businesses and IT leadership inside of organisations need to look at these kinds of things.
Speaker 1:So I haven't really got a question for you, I'm just agreeing with you. So that's good. But I think you know, I think all that kind of increase in maturity has been really interesting. What I did want to ask you was that and I'm kind of aware we're kind of coming up to time now, so what I did want to ask you, though, was if you were to look at the way you've seen some of these shifts over.
Speaker 1:You've been at Art2Wolf for four years now, so if you were to look at some of those shifts and some of the changes you've seen and some of the things that you're seeing, those shifts and some of the changes you've seen and some of the things that you're seeing external sources external sources are trying to influence and trying to change, what tips for some of our audience would you have to say? These are things that you've seen and actually, if they haven't seen them yet, these are some of the things that you might want to think about. You know, there's two or three things, that kind of front of mind that you think, actually, if you're listening to this and you're in that, IT leadership role.
Speaker 2:Either you should be doing these things now or, if you're not, you need to be thinking about doing them. Yeah, I mean, the great thing in IT is there's always new technology, there's always new evolvements. It's what keeps everything fresh. It really excites me, and you know that's kind of why I do what I do. However, you know, really excites me and you know that's kind of why I do what I do. However, you know, I think organizations have seen the most amount of transformation in the last five or six years and we've seen, for a very long time, public cloud, zero trust networking, casb, you know, 365 and cloud native SaaS-based adoptions. Would this be a really good podcast if we didn't mention AI?
Speaker 1:You know we've got to get in somewhere. It would, contractually, we would fail our obligation if we didn't mention it Exactly so.
Speaker 2:these are all dynamics that are going to change the business for the better. They will require, you know, considerate thoughts and you were mentioning about data. You know AI is built on data and data security and privacy is really important. One of the big things that we've done at Arctic Wolf is we've got our own AI policy which we've defined that we've rolled out. Everyone's trained on it, everyone has to certify against it and sign off.
Speaker 2:We do not let any customer or external or even our own internal data go to any third party AI product or tool whatsoever. And if we're told that a tool is going to implement AI, we have to opt out because we cannot be seen or we can't leak any data because we can't have any external source train on the data that we maintain that we operate because you've again force for good and I think organizations need to think about those kinds of policies. Copilot with Microsoft, I think, is wonderful. I think there's so many really good use cases for that. There are some really interesting third-party products and tools that will use that, such as like legal document management and scribing and those kinds of things. You've really got to be considerate about how it's going to use and train and store and offer your data to train other models. That is so important.
Speaker 1:That feels like something if cyber insurers aren't asking about it already, they're going to be asking about. I think that feels like what's your you know and the fact that you guys have policies already around that you know. We've spoken about that recently with another one, I guess, on this show, about the idea of you need to be thinking about these kind of policies now, because it's about risk and it's about people and process and technology, so process being policies, et cetera, and I think that's a hugely important part. So I think that's a great tip. Is there anything else that you've seen as well that people want to make sure they're thinking about?
Speaker 2:I think the other one is acceleration to public cloud. Migration is there. We're seeing repatriation as well, people coming back from cloud because cloud is expensive. We've seen in the security realm lots of organizations looking at adopting, you know, cloud native SIEM technologies like Sentinel, because of the advent that it seems to be cost effective in the login and the monitoring and actually when you go there in the real world that's not the case and it becomes incredibly expensive. So we've seen repatriation of that kind of thing as well.
Speaker 2:So I think considerate adoption of public cloud in public cloud services and always looking at the bottom dollars or the bottom pounds and trying to forecast as much as you can for what that usage is going to be, is really important, because you don't want to be stuck into a three-year contract with committed spend of a lot of money and then you blow past that. So that's important. And I think the final thing is this is not a technology conversation. This is a people and a process conversation. At the end of the day, the majority of security elements cannot be fixed, but you get most of the way there by having amazing people or having access to amazing people, having the knowledge injection into the business, education and continuous reaffirmation of education into the business. Education and continuous reaffirmation of education, having people believe that security is part of their job inside of the business, even help desk workers, knowledge workers everyone's role is security and protecting the business and understanding what these new threats are.
Speaker 2:And then it's process. It's about having an understanding as to what my acceptable risk is. Where do I sit on cyber insurance, or cyber essentials, I should say, or the NIST cybersecurity, all these frameworks that we do? What is my acceptable risk? What is my marginalized risk? What do I want to mitigate? What can I transfer to a third party, be it insurance, be it warranty? I transfer to a third party, be it insurance, be it warranty, and then you know, on a three-year roadmap, when I'm putting all my roadmap of projects together again, how do they interface with the business, what's the risk, what's the appetite, and then what's the business value outcome that we're seeing?
Speaker 1:Yeah, and I think that you know it's a great way to wrap up. Actually. I think they're a really good set of tips and you know, and I think, what I would add into that mix as well we started off talking about I introduced this as we're going to talk about cyber insurance. Please don't turn off. So if you've stuck with us, thanks.
Speaker 1:But I think it's really interesting kind of the way you described that, even when you're thinking about adopting AI, making cloud migrations, thinking about people and process, that so much of this now is driven by risk, and that risk driven by frameworks, driven by cyber insurers. You know, because even if I take that example of moving to public cloud, you are absolutely going to be getting asked by your cyber insurers about how are you securing that? Have you got mfa turned on? How are you protecting the data that goes in there, how you're making sure you recognize potential leaks? You know, are you taking the steps? So, if we're going to pay out at the end of this, have you done all the things that we've asked you to do? And it doesn't matter whether it's on-prem in the cloud mix or both in a SaaS solution, none of that matters Putting data into Gen AI tools, for example. Have you taken the steps?
Speaker 1:Now I think it's interesting that I think, if you're in an IT leadership role no-transcript in IT leadership roles and you know and it's a great thing that you know cybersecurity is getting that kind of board and leadership attention. But we need to make sure that we are people who are working in those roles who know how to have those conversations, because if not, you're not going to get budget to do things. There's going to be potential risk in businesses because they don't take the risk seriously. So I think there's loads of interesting stuff in that. So, well, before we go, nick, you know if people want to find out a little bit more about you, want A little bit more about you, want to find out a little bit more about Arctic Wolf in general, where's a good place they can go?
Speaker 2:Yeah, absolutely. So. You know, arcticwolfcom is a really good place to go and check out everything that we do. We've got some amazing resources and blogs on there. We do a huge amount of webinars, which is more informational about the industry, about vulnerability management and security awareness and how you build an incident response plan. So absolutely go and check some of that stuff out. We've got some really good guides on cyber insurance as well. So if you want to go and kind of read up on what the skinny is and how you get a good policy and reduce your premiums, it's all documented. It's all there About me. You can find me on LinkedIn. I'm at linkedincom slash Nick Dyer. I do have a Twitter, or an ex, however we say it these days.
Speaker 1:I'm still a Twitter man, but yeah, ex, I suppose.
Speaker 2:Yeah, exactly, we've both been on that platform for many many years, but you'll be able to find me there as well. Yeah, and you'll see me out and about in the industry at events and shows and forums all over the UK and Ireland.
Speaker 1:Well, nick, it's been great and really interesting, and you know who knew cyber insurance could be interesting, but I think we did a decent job, or certainly you did. So, you know, and I'm waiting for the day Gen AI takes over hosting this show, because that can't be that far away. So, but, nick, thanks for joining us. We appreciate it, and if you enjoyed this episode of CTO Insights and I hope you have then we'd love to hear your comments. So please leave your comments in all the usual commentsy type places, and if you want to make sure you catch the next CTO Insights, then do subscribe. You can subscribe here on YouTube by clicking on that bit down below where they do the subscription thing, or subscribing in all good homes of podcasts, and possibly some bad ones too. But until next time, thanks for watching.