CTO Sessions: Ian McShane, Arctic Wolf

What predictions do you have for the role of the CTO in the future? “Over recent months, ransomware has dominated the industry space. It is my belief that… for the CTO, they must shift their security mindset.”

Headshot of Ian McShane, VP Strategy and Field CTO at Arctic Wolf
Arctic Wolf

Name: Ian McShane

Company: Arctic Wolf

Job title: VP Strategy and Field CTO

Date started current role: June 2021

Location: London, England

Ian McShane has over 20 years’ experience in cybersecurity and operational IT. As a former Gartner analyst, Ian has advised tens of thousands of organisations worldwide. He is well known as a popular commentator in the cyber industry, and prior to joining Arctic Wolf spent time at Symantec, Gartner, and CrowdStrike.

What was your first job? My first job in the IT industry was Principal Systems Administrator at Cobweb Solutions Ltd. I worked with the team there for a few years in the early 2000s. Cobweb is a cloud services specialist and Europe’s largest hosted exchange provider that helps organisations of all sizes to grow into flexible, agile businesses through best-of-breed cloud technologies. My time at Cobweb gave me a great foundation for my later roles at Symantec, Gartner, Endgame, and CrowdStrike.

Did you always want to work in IT? I have always had a strong interest in tech. I think it stems from being a video games nerd! My primary school in the late 1980s somehow had a bunch of BBC Micro and Archimedes computers, and if you knew how to use them, you were allowed to play educational games instead of attending what in comparison were other boring lessons. My love of tech then carried on through my teen years when I found the bulletin board scene and coding. Fun fact: when I left school in 1996 my Record of Achievement even said that I planned on becoming a software engineer.

What was your education? Do you hold any certifications? What are they? I went straight into work after leaving school, and augmented on-the-job experience with Open University and industry certifications from vendors including Microsoft’s MCSA/MCSE, Trend Micro, Symantec, and the ISC2 CISSP.

Explain your career path. Did you take any detours? If so, discuss. It’s been quite a ride from starting out in an ISP’s call centre doing consumer tech support at the turn of the century to spending a decent chunk of my career at the forefront of cybersecurity with a number of vendors. Despite a few years in product leadership and some aspects of marketing, my roots were forged as a practitioner and that’s the angle I bring to work with me. I always ask: How can I help organisations improve their security, and how can we eliminate the things that are painful as front-line practitioners?

What type of CTO are you? Great question. I think it’s really tempting to focus on innovation and the bleeding edge - and don’t get me wrong, that’s so much fun to work on - but the reality is that most organisations, and huge parts of the target market, are often three or more years behind the curve. Therefore I mould my approach as CTO around leading a team that delivers capabilities that delight our users and customers. I always consider how they are going to adopt and use them and make sure not to punish or alienate customers that aren’t as sophisticated as others might be.

Which emerging technology are you most excited about the prospect of? The cliché answer is of course something about using machine learning (ML) and “AI”, so I hope I’m not insulting my data science friends when I say that I’m fed up of hearing the same promises of AI being the saviour of everything in cybersecurity. Where I do see the promise is in ML processing and classifying vast amounts of security event data faster than humans ever could. Especially as after years of largely unfulfilled marketing promises, we are finally seeing the industry begin to be able to remove alert fatigue misery. This sings to my practitioner background!

Are there any technologies which you think are overhyped? Why? I believe it is essential to separate hype from genuine innovation. To do so, I look at the outcome, not the words or language. In an industry dominated by marketing buzzwords, it’s easy to get lost among similar-sounding capabilities and renamed or rebadged things. You only need to look at the current trendy terms like XDR, and the fad of adding “.ai” to your domain name as a way to build your hype for investors and Wall Street, to see it happening.

What is one unique initiative that you’ve employed over the last 12 months that you’re really proud of? Like many businesses over the past couple of years, Arctic Wolf has had to adjust. We were somewhat lucky in that, as a distributed company with employees and customers in multiple time zones and countries, we already had some insight into distributed working. Throughout the pandemic, we introduced, and now intend to maintain, many telehealth and virtual options for employees to access mental health and wellness resources. We also rolled out our #PackStrong initiative, designed to strengthen ourselves in specific areas including mental and emotional wellbeing, resiliency, and stress management. We offered live wellness webinars (I.e. meditation and yoga) and wellness challenges as we know that stronger wolves make for a stronger pack.

Are you leading a digital transformation? If so, does it emphasise customer experience and revenue growth or operational efficiency? If both, how do you balance the two? As a leading technology company, Arctic Wolf was really ‘born’ into the digital age so while the pandemic caused extreme acceleration in digital transformation for many organisations, it was business as usual for us.

What is the biggest issue that you’re helping customers with at the moment? As I look at my notes from customer conversations, it’s pretty shocking that so many organisations report the same types of issues that have been around for over a decade (I’m ageing myself here!). I see a lot of organisations exposed to the true risk of the threat landscape when they get infected by ransomware. The headlines always talk about nation states and so-called advanced threats but the reality is that most incidents and attacks are opportunistic and not targeted. As we see with large attacks such as Kaseya, organisations can do everything right but still get compromised due to something outside of their control.

If the pandemic drove 2020 and 2021 to be the time of accelerated digital transformation to cope with the distributed, hybrid work life, then 2022 and 2023 will be the coming of age for cybersecurity. More organisations are taking security seriously. I don’t mean just spending money, but I mean operationalising. I mean holding vendors and suppliers accountable. I mean truly trying to measure their current risk and doing something about it. I mean actually testing their disaster recovery plans.

How do you align your technology use to meet business goals? With a mission as important as ending cyber risk, we’ll continue investing in the tools, technologies, and humans that we use in our cloud-native platform. After all, it’s the foundation for us to deliver the operational excellence and security outcomes that are critical for organisations! As there is no one-size-fits-all approach to security, we strive to be an open, vendor-agnostic company by adding further support and seamless integrations with more and more standalone tools that cause the biggest pain points for IT and Security teams. This, our advisory services and our concierge security team, will ensure that every customer is as secure as they can be, and that they have a path and a strategy to continue to improve cybersecurity in a way that is right for them.

Do you have any trouble matching product/service strategy with tech strategy? To me, the most critical aspect of product strategy and planning is understanding the desired outcome or outcomes. If you can articulate the successful outcome, you’ll have a much better chance of addressing the need or problem you’re solving for, and solving it in the way that is right for the user.

What makes an effective tech strategy? Over the last decade we’ve seen cybersecurity move from a poorly understood subset of IT to a central part of business strategy and risk management. This means that a cybersecurity tech strategy has to be elevated from a purely tools and tech perspective to the same level as other business-critical functions. Thinking about business and process needs before technology helps ensure you’re solving the problem in a way that can and will be used effectively.

What predictions do you have for the role of the CTO in the future? Over recent months, ransomware has dominated the industry space. It is my belief that ransomware is just the start of a bigger cybersecurity challenge UK businesses will face this year and beyond. One discussion currently being overlooked is the ever-more complex and evolving threat landscape businesses need to prepare for next year. It will be down to CTOs to navigate this landscape and ensure their teams are adequately equipped.

While ransomware is here to stay, soon it will be recognised there is a bigger issue at play here - the entry point. Often technology is considered to be the first line of defence, but the first line of defence is actually users. Right now, people don’t consider standard technology and users part of the greater supply chain because it does not feel like a security issue. The fact is simply using email is a supply chain concern.

For the CTO, they must shift their security mindset. Instead of focusing on what to do reactively after being attacked, they will learn how to predict and bolster their security posture by using data science to model scenarios that can highlight any potential weaknesses in the supply chain. This, though, will only come in tandem with greater transparency and we’ll need to decriminalise and destigmatise the “scarlet letter” that comes with disclosure. Rewarding businesses for proper security behaviour and giving them more visibility into how incidents are handled will encourage them to be more security-conscious, and means they’ll be in a much better position to combat the evolving cyber threats coming their way in the future.

What has been your greatest career achievement? I think there’s a lot of nuance to the word achievement as something that’s finished and I don’t think anything in cybersecurity is ever ‘done’. So I’ll twist my answer to say that I’m proud of the things I’ve been able to contribute to that help companies and vendors be a force for good. The simplest things can often have a huge impact like providing honest and impartial guidance and direction, and I’m proud that I have the chance to help keep good people from suffering the impact of bad intentions.

Looking back with 20:20 hindsight, what would you have done differently? Honestly, I still can’t believe I’ve been so fortunate to have the career I’ve had so far. I’ve benefited from a huge amount of luck and privilege which I’m trying to pay back (or pay forward) and there is very little professionally that I would want to change.

What are you reading now? I just finished up an excellent look at the recent cybersecurity history - This Is How They Tell Me the World Ends by Nicole Perlroth. It’s a great insight into parts of the industry that many people have no idea exists and I’d recommend it to anyone working in cybersecurity. Additionally, our DEI group here has a “Well read Wolves” book group that introduced me to a really educational book called Biased by Jennifer Eberhard. In the fiction field, the last book I read was Dark Matter by Blake Crouch.

Most people don't know that I… Would have chosen a career in music, if not cybersecurity. It’s fun that so many folks in cybersecurity have a passion for music – almost every Zoom call will have someone’s musical instrument in the background. Sadly, I’m more of a karaoke enthusiast than a musician these days.

In my spare time, I like to…Get tattoos! Every time I’m in the studio for something new I joke that “getting tattoos is stupid” and although the process is arduous, I’m (almost) always happy with the outcome.

Ask me to do anything but… Keep me away from anything made with canned tuna.