The Voice of Cyberยฎ

KBKAST
Episode 263 Deep Dive: Naran McClung | The Benefits of In-House SOCs vs Outsourcing
First Aired: June 14, 2024

In this episode, we sit down with Naran McClung, Head of Azure, Macquarie Cloud Services from Macquarie Technology Group, as he shares invaluable insights into the world of Security Operations Centers (SOCs). Naran discusses the pros and cons of in house SOCs versus outsourcing, shedding light on the expectations businesses have for outsourced SOC services and the challenges of maintaining an in-house SOC. He emphasizes the importance of efficiency in building runbooks, standing up SOC operations, and the significance of minimal downtime. Stay tuned as Naran McClung provides a wealth of knowledge on managing 24/7 operations, structuring SLAs, and much more. So, let’s jump right into this fascinating discussion on SOC operations, security posture, and the evolving landscape of cybersecurity.

Naran McClung is an experienced IT professional and business leader, with an international career spanning over 20 years. He has defined and led significant technology transformation programmes within Finance and Media verticals, and has executed strategic engagements throughout the UK, Europe and the US.

Naran McClung runs the Azure business for Macquarie Cloud Services (MCS). The business was incepted in 2019 and publicly launched February of 2020 to coincide with the inking of a unique and strategic agreement with Microsoft.

MCS has consciously chosen to only work with the Azure Cloud Platform, believing in strength in depth and a truly committed Partnership with Microsoft. MCS is now the fastest growing Azure Managed Services business in Australia, and the only Azure Expert MSP to also be a Microsoft Intelligent Security Association (MISA) member.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Naran McClung [00:00:00]:
I would recommend any any business out there seeking an outsourced software provider, if they’re not being completely open and transparent, they can’t showcase each and every aspect of the service. If they can’t offer a sense of assurance of of what it’s gonna cost and what it may cost in the future, etcetera, and what’s going to influence cost to our ingestion and SIEM platforms and alike, all those things that that contribute to the overall cost of the service. Get deep on it. Right. And and seek out an MSP who’s prepared to expose and show you all aspects of what they do.

Karissa Breen [00:00:47]:
Joining me today is Naran McClung, head of Azure Macquarie Cloud Services for Macquarie Technology Group. And today, we’re discussing the benefits of in house socks versus outsourcing. So, Naran, thanks for joining and welcome.

Naran McClung [00:01:03]:
Yeah. Very happy to be here. Thank you.

Karissa Breen [00:01:05]:
So I wanna structure this interview a little bit differently to what I’ve done in the past. So maybe before we go for the not the 4 and the gangs, but maybe looking at both sides, I wanna explore more. But maybe let’s start with your sort of summary on, you know, in house socks versus outsourced with your experience, with your background, with what you’re sort of doing day to day. We’re keen to sort of start with that first.

Naran McClung [00:01:27]:
Yeah. Sure. Look. I mean, let me start by saying there are many excellent in house SOCs around Australia. We do come into touch with them from time to time. And obviously, we maintain a very strong community, working relationships with various senior SOC analysts around Australia. Some of those work for in house SOC. Some of them work for other MSPs.

Naran McClung [00:01:47]:
So we’re acutely aware of what’s out there. As Macquarie Cloud Services, we obviously maintain a SOC arrangement, a round source SOC arrangement that’s very Microsoft centric. And, clearly, I have a view on that. I would say that talks are expensive. So if you’re lucky enough to have the money, the people and the depth of skills within your organization to maintain a SOC, that’s fantastic. Equally, though, for mid market corporate Australia, that can be challenging. There is a short supply of security expertise across Australia. And obviously, there’s a sort of a minimum cost of investment if you think of the people required to maintain a SOC and certainly a 24 by 7 eyes on glass pipe sock arrangement.

Naran McClung [00:02:30]:
And then particularly with the investments in tech, it’s a huge investment for a business. So we’re grateful as Macquarie Cloud Services to have an offering, that’s suitable for those businesses that can’t afford their own SOC, but certainly out there, particularly with enterprise, there are any number of excellent in house sock.

Karissa Breen [00:02:47]:
Yeah. That’s interesting. And especially around, like, the price side of it and the cost. Right? So I’ve spoken to a number of people over the years, in industry saying that, you know, when we’re outsourcing something, perhaps they’re not acutely aware of some of the cost or how it runs. So I’m curious then to just jump in that first and go a little bit deeper on. Do you think that people aren’t really aware, like, you know, what do they sort of get for what they’re paying for? What are the SLAs? Do you think there’s sort of a lot of confusion around that from your experience?

Naran McClung [00:03:14]:
Look. There’s there’s a lot of disparity in expectation. That’s the first thing. Quite often when we speak to certainly new prospects, they’re desperate to solve a problem. That’s a problem that all businesses in Australia recognize that they need to be more astute on top of their their cyber defense. And there’s a wide range of expectation when we look at, you know, the needs of a SOC or the requirements to stand up a SOC, clearly we have a view of an MSP. And if you really break it down, there’s there’s people, process and technology. I’ll just start with technology.

Naran McClung [00:03:47]:
From our perspective as an MSP, we’re seeking to offer obviously a platform that’s going to address the needs of, like I said, mid market, corporate, Maurer Enterprise Australia, and even enterprise customers today as well. It’s a very Microsoft centric approach that we’re taking, particularly when we look at, products like MDR and Defender XDR capabilities that we bring to bear. But doesn’t really stop there. Like, for us, it’s important that we’re able to innovate. It’s important that we’re able to take that further. Look at all the the work and investment and the product and architecture expertise we have in our business to evolve our threat intelligence capabilities and then taking that further with what we call our SOC digital twin that I’m I’m hopeful we can expand upon during this conversation, which leverages, generative AI to reduce the amount of noise that a SOC can take in. These are all huge investments in time and in people capable. So for a business to what are embark on that journey on their own, it’s a big undertaking.

Naran McClung [00:04:49]:
And like I said, many enterprises have done this and done this successfully, but there’s a considerable amount of time, money, and effort involved to do that. And, obviously, any saw corporation, once live, doesn’t remain static either. It has to go through constant innovation and evolution as threats change, the landscape out there changes as well. And obviously, the underlying technology that we’re protecting, all those inputs that would give us a concise view of the threat posture or security posture across the organization. They change to new projects, new services, new demands, and perhaps new risks from the business that then have to be back considered within a SOC. So there’s quite a lot in there. The challenge for us as an MSP is is difficult enough to to stay on top of that, but it’s a challenge that we embrace as a business. We enjoy, and I think part of the fun for me certainly is is getting out there and having conversations with businesses to better understand that sort of more adaptive and agile aspect of the service that we need to to bring to market.

Karissa Breen [00:05:51]:
You mentioned before, Naran, about expectations. So what do people sort of expect? Now I’m curious to hear your thoughts because, again, sometimes when depending on who you’re working with, if you don’t know, you don’t know. Sometimes the expectations are higher. Sometimes people just are unaware. So what are some of the things that people expect of outsourced stock?

Naran McClung [00:06:10]:
Almost universally is that the service is 24 by 7. That might sound silly. Right? But it’s not unheard of. We’ve seen other SOAR corporations try and offer a sort of a business hours type capability. In my experience, certainly within our customer base, they wanna know protect it all the time. It’s very logical, isn’t it? You know, you would want the service to stop in 2 or 3 in the morning, for example, cyber attackers. They’re like, well, the SOC service isn’t operational, so let’s go. Right? So 24 by 7 is critical.

Naran McClung [00:06:41]:
So you need eyes on glass. You need to know that your mean time to respond, which is a critical metric, is with an acceptable SLA. Now within our business, and certainly if I look at, say, industry best practice, would say that if you have a mean time to respond of around 7 minutes, you’re doing very, very well. We’re hovering somewhere around 2 or 3 minutes, at the moment, taking advantage of that generative AI and OpenAI capabilities that we built in our SOC. That’s just one example of us meeting one particular expectation. 2nd expectation or another one, I should say, is do you have good coverage of the business? So if you think about what a SOC is, at the heart of any SOC is a c, Right? It’s a security information event management platform. And like any platform, it’s only as good as its inputs. So it’s very important that when we take on a new relationship with a customer, we onboard them, that we have the right feeds from within the business to give us a really accurate portrayal of their threat posture and their security posture.

Naran McClung [00:07:40]:
And that way, when we take threat feeds, so as a top down approach, threat feeds from all the different industry feeds that we integrate with our SOC that we can correlate those with meaningful touch points within the business. So the SIEM platform itself is only as good as those inputs. It’s critically important that we work closely with the business to ensure that we have all the right insights from the business, their services, their technology, etcetera, such that we can have an informed opinion on any given day of whether they’re exposed to risk. And that’s that’s another huge expectation. I’ve touched on innovation already. So that is another another big expectation too, and that is that our service can’t be static. Our approach to that today is that we introduce new modules. We have a very modular architecture.

Naran McClung [00:08:27]:
I can give you two examples of new modules that we’ll be bringing to market. One of which is breach attack simulation. Similar to almost like a pen test type remit, which is that you’re constantly testing testing the boundaries, testing the limitations, looking for holes, looking for gaps in threat posture. That’s really important. You think week to week, our SOC is looking to improve security posture and improve security score. We’re looking to plug holes. We’re looking to plug all the time. But equally, we shouldn’t rest on those laurels.

Naran McClung [00:08:58]:
So breach attack simulation helps us to stay honest to that remit and and look for those those extra risks. And additionally to that, we’ve got dark web monitoring. You’ve probably noticed this too if you’re using Office or Microsoft 365 or perhaps Google Suite of applications from time to time, you might get an email saying, hey, look, you’ve used a password on a on an application out there in the Internet, perhaps a social media app or something that’s been breached, and that same password, relates to other services that you have in play and those have been exposed or found in the dark web. That’s something that our SOC is is taking on. And the fun fact for our statistic, and I mentioned this yesterday in another event that I was hosting. So it’s the percentage of prospects and customers alike where we’ve looked in the dark web for compromised credentials. What do you think the percentages of those customers and prospects are like where we found credentials in the dark web? It’s an open question for you.

Karissa Breen [00:09:54]:
Oh, I don’t like this question. I’m going to say 50% in the middle.

Naran McClung [00:10:00]:
It’s a 100%. Yeah. A 100%. Now some of that is so what? Some of that is, you know, your name, your mobile, your email address, for example. Right? That does form part of your identity. But a 100% of the organizations that we’ve worked with, we can identify that a degree of their identity, their information exists in the dark web, which is pretty scary. Now clearly, there’s a malicious side to that too, and there’s an escalating level of concern on a case by case basis, but it’s a critical part of our service offering to work with our customers and ensure that if they are compromised in that context, that we can then feed that back and and work with them to address it.

Karissa Breen [00:10:37]:
Okay. I wanna get back to something you said before, which I found interesting because I was talking to someone in the industry. Said around the 24 by 7 or follow the sun model as people talk about. Now would you say and I guess this is always dependent on who you’re working with. Would you say that because obviously, you know, Australians are gonna work, you know, 24 by 7. So sometimes people, you know, outsource, so they piggyback off another software elsewhere in the world before it’s done. Model You find and the quality goes down though in terms of like, oh, okay. Well, now we’re switching over to the team overseas.

Karissa Breen [00:11:07]:
Are you seeing any of that? Now I ask this question because I speak to people in industry all the time, and I’m hearing a little bit of that. So I’m keen to

Naran McClung [00:11:13]:
get your thoughts. It’s very case by case, but I wanna give you an answer. I just wanna sit on the fence. Look, I would say, in my experience with Follow the Sun, where service tends to track around the world, my personal experience of that is it’s been a fairly poor experience. There are examples where I’ve seen it well. So, for example, in working with Microsoft on critical events, particularly when I was working out of London, for example, on a critical issue. I have seen that work successfully. Now I would say that’s hugely expensive and that is sort of one example where I’ve seen it work.

Naran McClung [00:11:46]:
On the whole, though, I’d say general perceptions are in line with what you’ve said and that tend service can tend to drop off a little bit because you’ve got hand as well. You think the effort that you put into establishing an incident, getting the right people on, making sure they understand the context and the sensitivity, all the moving parts, they’ve analyzed the logs, etcetera, to hand that over in anger, particularly when you are stressed and it’s a high profile situation for you or the customer, there’s always a little bit of overlap and downtime. Right? So the experience is already strained straight off the back. And yes, global organizations will argue that it’s possible to do that efficiently. In my experience, it comes at a cost. So I think if you’re in a position to offer a sovereign capability that is genuinely 24 by 7 and without compromise, I think you’re in a strong position.

Karissa Breen [00:12:35]:
So if someone called you up and said, okay, Naran, well, we’re a business, a manufacturing business or whatever it is, and we have to do it 24 by 7. How would you advise someone to run that effectively? Right? Because you make sense in terms of the hand off and, you know, multiple people are involved. Maybe there’s 3 different parties that are managing this 24 by 7. Right? How would you advise someone to do this? That way, they are getting the outcome, they’re not let down, and they’re they’re satisfied with the with the service.

Naran McClung [00:13:00]:
Yeah. Good question. Good question. So I think you’ve you’ve really gotta capture the essence of the problem and ensure that that data is shared well in advance of when you need to do the handover, the other team. So a really excellent problem description, obviously, access to all the relevant artifacts and logs, etcetera. You wanna really front load that before you hand over to new teams and new individuals. That’s really the only fighting chance you’ve got to do that. In an ideal situation before hand off, you get a represent representation from the new team, let’s say, within an hour or 2 hours of handover such that they can get a sense of how the call’s going, get a sense of context, and and some of the criticalities of what you’re dealing with prior to handover as well.

Naran McClung [00:13:42]:
And for me, these are all just, you know, ways in which you can reduce the burden of heading over to a fresh team. You don’t want them to be entirely fresh. You want them to be informed such that they can pick the baton up and and be effective as fast as possible.

Karissa Breen [00:13:55]:
Now the other thing I wanna ask you as well is SLAs. Now, again, big industry all the time. I was talking to someone literally probably a couple of weeks ago, and they are using a outsourced capability, and the SLAs was raised. And then how they were sort of structuring the SLAs was like, well, when we when we understand more about the alert, that’s when the SLA sort of starts for memory rather than when the alert sort of happened, which wasn’t effective. Right? So I’m curious then to hear on your thoughts around this murkiness around SLAs, and therefore, you’re gonna get in this conundrum a little bit. So, of of course, the client was like, well, it doesn’t really work for us because what happens if your guy doesn’t see this alert for 4 days or, you know, multiple hours? I’m seeing a bit of that. So I wanna sort of debunk and demystify that theory.

Naran McClung [00:14:43]:
Yeah. Sure. Alright. So, look, within any SOC, you’ll have SOC analysts, sometimes multiple tiers of SOC analysts. But let’s just use the term SOC analyst more generally. You want the SOC analyst to be working on a meaningful incident as fast as possible. That’s the key. Now, as with infrastructure monitoring, cloud services monitoring, there’s an incredible amount of noise that you need to filter out.

Naran McClung [00:15:05]:
So before a SOC analyst has a fighting chance to respond or triage, typically there’s a raft of noise that you need to to mitigate out and you need to make sure that any sort of hallucinations or false positives or anything else have been removed before a SOC analyst is forced to engage with something. So we look at 2 key metrics. We look at mean time to respond and mean time to triage. To give our SOC analysts a fighting chance to work on the right incident at the right time, we’ve we’ve spent an incredible amount of time creating what we call our soft digital twin, which is our Azure open AI develops, capability that filters out the noise. Now we have, obviously, human resources looking at that process end to end to make sure that we don’t miss anything, and it’s constantly retrained. And the model is is retrained as we go. But for us, if you can like I said, if you can get the SLA to to 7 minutes or less, you’re doing better than industry best practice on lead time to respond, which I think is critical. And then once our SOC analysts are reviewing an incident, you wanna make sure that they can enact quickly.

Naran McClung [00:16:09]:
So most of our customers, I would say 80% of our SOC customers are also managed service customers for the underlying infrastructure and and services as well. And if it’s public cloud that relates to Azure, why is that important? You wanna be able to affect change really, really quickly. So if you’ve done a good job of filtering noise, you’ve got that mean time to respond down to 7 minutes or less. And in our case, sort of 2 or 3 minutes, you’re doing very, very well. And then when it comes time to perhaps stop a lateral movement or effect change very quickly, If you are also managing the underlying services, you can do so providing you have the right governance in place and the right capabilities. And I think that’s that’s putting you in a very, very strong position.

Karissa Breen [00:16:48]:
But then just asking a little bit more on that because these things are important. Again, this is coming directly from industry, people that are working in in these, functions internally. The only thing I’ve heard of as well is, like, companies coming out and saying that they’ve got this SOC capability, but it’s, like, maybe half an analyst for, like, half a day a week or something like that. So They’re not really offering the capability. Have you seen a bit of that, and what’s going on there?

Naran McClung [00:17:10]:
Yeah. Look, there used to be this sort of adage that if you didn’t hear from your soft provider, that must mean everything’s okay. Right? Because you’d only hear from them in the event of an incident. I think the opposite of that is true. I think you should hear from your SOC on a regular basis. And this notion that you’re safe just because you pay someone or it’s somebody’s responsibility to look at it is false too. You get a couple of really good examples here. So in the last 18 months when we have been onboarding, so our onboarding experience could take on average somewhere between 3 to 4 weeks.

Naran McClung [00:17:40]:
It can be longer for a a bigger enterprise customer. Sometimes it could be shorter too. It could be less than 2 weeks if you’re a sort of a smaller mid market customer. Let’s just say 3 to 4 weeks. Twice in the last 18 months through onboarding, we have picked up on live incidents, as in live cyber breach within a customer environment that they had no idea was ongoing. So as Sysic Foye and I work we work very closely with a number of leading security experts around the country. He’s a fountain of knowledge as it relates to stats, and the key stat that he said to me was that on average, it takes a business 281 days to realize they’ve been breached. 281 days.

Naran McClung [00:18:16]:
Let that sink in. So in our experience, in the last 18 months with 2 customers that we were onboarding and our service wasn’t even live. Right? So we haven’t even properly stood up the service. We didn’t have the right people, eyes on glass. All of that was still going through. We managed to pick our live incidents, and those both of those customers had outsourced SOC arrangements. They assumed they were safe. They assumed everything was was okay, and the opposite was true.

Naran McClung [00:18:41]:
And then we had to immediately spring to action and mitigate what would have been material risk to those businesses.

Karissa Breen [00:18:47]:
So you mentioned before so thank you for sharing that example. You mentioned before that, you know, customers should be hearing from the outsourced stock regularly. So define regularly because I know it depends, like, just give me a bit of a number or what does that look like so people sort of know, like, hey. Maybe the company we’re using, we hear from them once every 6 months. Maybe that’s bad. Well yes.

Naran McClung [00:19:09]:
Sure. Look. Contact can occur across any number of different mediums. Right? It’s not I’m gonna paint a picture that our SOC gets on the phone every 15 minutes and badges the hell out of our customers. That would annoy them no end. So I’m not describing a scenario like that. What what is normal, though, is certainly weekly contact, whereby we can talk through incidents that we manage. We want to talk through our adherence to the SLAs.

Naran McClung [00:19:32]:
But better than that is how are we improving your security posture? How are we improving your underlying cloud posture as well? That’s an ongoing discipline. How are we patching vulnerabilities within your environment? If I look at all the dashboarding that we provide our customers as well, and we’ve got, like, some 50, 60 different Power BI driven dashboards that we make available to our customers. That’s a form of contact too. Now I’m a firm believer in sort of trying to move away from static reporting. I’m not a big fan. I mean, certainly customers do ask us to produce static reports, summaries of our service and things that we’ve done. And that’s fine if that’s what they need, perhaps with their own management tiers within their business. But what I’m I’m more fond of is live digital timelines of change where we can on any given day or week showcase everything that we’re doing.

Naran McClung [00:20:20]:
Proactive change, new modules, new service, evolutions to how we manage underlying services, particularly as it relates to cloud governance. How are we tracking with deployments if we’re doing a Defender XDR deployment? How is everything running as it should, etcetera? So this is it’s a constant living ecosystem of service and capability and agents and ways in which we want to let our customers know that we are working, we are constantly improving and we are constantly evolving the threat posture within an organization. So I think it’s important to to surface that up. I think it’s important to obviously email out summaries to customers of things that we’ve done. Obviously, regular cadence of meetings is important. The customer gets to set the tone and pace of those meetings as it relates to them. New projects are obviously always interesting. This idea is sort of secure by design.

Naran McClung [00:21:12]:
Clearly, we work closely with our our customers as they deploy new technologies, and there’s a there’s a security lens to each one of those projects. So our SOC team should be involved there in in determining what impact those new services or applications or projects have on this SOC operation. So what do we need to consider? And that’s another example of contact as well. So SOCs are active. Right? They’re an active part of the business. It’s not just something that sits there and you wait until the big shiny red light starts flashing is a much more proactive nature to the service. And I think as a result of that, contact needs to be more regular.

Karissa Breen [00:21:47]:
Okay. Now that we’ve discussed the summary, which has gone into detail, I do wanna get into maybe some of the outsourced benefits just from your perspective. So maybe let’s start with one of the ones is no migration required so teams can focus on other work. Maybe your 2ยข on that would be great.

Naran McClung [00:22:05]:
Okay. Look. We do come across this clearly. So if there’s an existing SOC capability either in house or perhaps with the outgoing outsource provider, there’s a transition to service as it relates to a transition to our services. For example, in my experience, the technology is the least of your worries there. If you’re a good MSP and one that’s adopted technologies like SOAR and automation and you’ve got well defined runbooks within your business, I think you can conduct really efficient onboarding experiences. But certainly, there is a transition workload that needs to be undertaken. I think it’s a misconception that this needs to be a 6 to 9 month exercise, by the way.

Naran McClung [00:22:45]:
I think there’s some consulting organizations out there in Australia making a hell of a lot of money telling businesses that these things are people heavy and they need to take a huge amount of time. I don’t think that has to be true. Like I said, the example for us in our onboarding experience, done the hard work on automation, you can you can get onboarding down to 3 to 4 weeks on average, and there’s no reason for it to take longer than that. Beyond technology, it’s the business rules really that are important. Right? So if you are transitioning one sort to another, you wanna make sure that capture those those well defined, all those business rules that are deemed to be valuable by the customer that should transfer over. Now, clearly, there’s an argument. You know, if you have an in house SOC, you don’t have to worry about that. Well, there’s still an investment in standing up the surface too.

Naran McClung [00:23:28]:
So whether it’s outsourced or insourced, any good SOC operation has to take those top down inputs as it relates to threats, those bottom up inputs as it relates to security posture and making sure that you capture the essence of the business sufficient to correlate to threats. There’s an investment in time there. There’s an investment in time in building out those runbooks as well to make sure that you can be effective in responding to incidents. So you can go either way. You really can. I think there’s a burden on an MSP to be really efficient doing that because clearly it could be a barrier. Right? If we come across a customer who’s reticent to embark on that transition, it’s on us. It’s prudent for us to be able to tell a story that we can do so efficiently with minimal downtime.

Naran McClung [00:24:10]:
I think that’s critical.

Karissa Breen [00:24:11]:
But hang on. I wanna go back a second. So you’re saying companies out here in Australia are saying 6 to 9 months onboarding. You’re saying 4 weeks. What are these people doing within 6 to 9 months?

Naran McClung [00:24:21]:
Making money.

Karissa Breen [00:24:22]:
Well, that’s not a good thing if they’re saying something takes that long. That’s that’s almost a year.

Naran McClung [00:24:28]:
That’s right. Look. I don’t wanna name and shame. It’d probably be counterproductive for me to do today, but let me just say that there’s consulting organizations out there. It’s their bread and butter to make money on the people required to push that out. We don’t charge for onboarding in our business. There’s no access. There’s no concept of paid professional services within our business.

Naran McClung [00:24:48]:
We feel like we earn the right to be the managed service provider. We earn the right to be the outsourced SOC provider by doing a very good job of onboarding, and we don’t charge for it. Now in any business, if you don’t discreetly charge for something, you inherently become efficient at it because you want that service to be stood up. And if I’m honest, you know, you you wanna be able to charge a customer for a service that’s that’s live and fit for perfect. So we deliberately don’t charge for that. And it’s I think it’s refreshing for our prospects and customers to be able to take that on and sort of demystify the time it takes to do that, particularly if we’re not trying to to sort of make undue money from the customer in the process. So I just I don’t agree with that as an approach.

Karissa Breen [00:25:29]:
Absolutely. And I think that that’s what’s important about if someone is listening to this and that’s what’s happening to them, maybe that this is gonna give them an awareness that probably, you know, there’s a bit of fabrication going on there instead of timelines. So, okay, I wanna move then on to again, following the outsource side of things, limited agility. So platform is managed by a third party. Maybe walk me through your thinking here.

Naran McClung [00:25:53]:
Okay. Let’s try and play play both sides. So within our business, I know that we have to be relevant. We have to be relevant to mid market corporate enterprise customers, which means our service, has to evolve. I gave you a couple of examples of how we introduce new modules to service on a periodic basis. That’s one example of how we try and stay agile as it relates to depth and and capabilities of service. And in house salt perhaps doesn’t need to cover perhaps as many use cases we do given the the wide array of customers and different demands that are placed upon our SOC operations. So perhaps in in our SOC is maybe required to be less agile perhaps or maybe also they have an advantage of being more culturally aligned to their business in that if they’re working very closely with the same product teams and business units, for example, then they can build a SOC that’s perhaps tailored to those needs.

Naran McClung [00:26:50]:
Sure I’m answering your question there, but I know agility for us is about staying relevant in market and making sure that our service is attractive to new customers as well as addressing the risks of our existing customer. Whereas for an in house SOC, they’ve probably got less moving parts to deal with.

Karissa Breen [00:27:06]:
And you stay relevant in market. You mentioned something before around not resting on laurels, which I a 100% agree with. I think there are a lot of people out there resting on laurels, so I’m keen to see what does that then look like from your perspective.

Naran McClung [00:27:17]:
We operate in a competitive market. So, you know, we there are other MSPs that profess to do a good job. It’s my job to convince prospects and customers that what we do is is industry leading. We work super closely with Microsoft. If I look at how we try and differentiate ourselves as a Microsoft security provider, I think we’re the only Azure expert MSP that’s a member of Microsoft’s Intelligent Security Association. We know that all our SOC analysts, are participants in various communities around Australia, some of which they chair, which means they get fantastic industry feedback. It’s a funny thing too, you know, with a SOC. Some of your best work is the is the work you do in managing live cyber incidents on behalf of your customers and live breach.

Naran McClung [00:28:02]:
And yet it’s the work we can’t often talk about. We’d love nothing more than to be able to stand on top of rooftops and say, hey. For this customer, we created this risk in this time. We did all this wonderful work. Clearly, it’s sensitive information, and our customers wouldn’t want them to wouldn’t want us to speak of them in that in that fashion. But it’s the burden of any sort. I think best work they do is the work they can’t speak about. But I know our standing with Microsoft.

Naran McClung [00:28:26]:
I know our expertise with Azure, the skilled people that we hire and retain within our business and the exposure to projects that we give them to houses to retain them as well, which is super important. All of this gives us the ability to to innovate, I think, in in unique ways. I know our work with the engineering teams in Microsoft product group, and you think about, like, who Microsoft is in the security space, world’s largest security vendor. So they see things that other security vendors don’t based on the same scale. And if we’re in the best possible position to take advantage of those insights, plus our own insights from our own customer base and the piece that we work with, then on any given day, week, month, year, etcetera, our road map should reflect the innovation necessary to stay relevant within our customer base as well as to attract new customers. And, look, it’s it’s part of what I love. You know, it’s part of what our teams love, our architects, our product people. They live for this.

Naran McClung [00:29:23]:
So we’re in a really strong position to keep those people happy and stay on the front foot.

Karissa Breen [00:29:28]:
Okay. So let’s keep moving forward on the outsourced side of it. So increased platform overhead cost. What are your thoughts on this one?

Naran McClung [00:29:35]:
There’s a lot in it. So if I look at our own platform costs, and I’ve given you sort of an example of threat intelligence. So threat intelligence for us is sort of manifesting 40 to 50 paid for threat seeds that come into our SOC. This includes, our working relationship with the ASD as well. Fun fact is that over the last 20 years, been doing cyber defense for, I think, about 43% of federal agencies in Australia as well. We have a huge investment in threat intelligence as part of our SOC. We spend 100 of 1,000 of dollars on threat feeds every month, and all our customers benefit from that. If you are maintaining a SOC internally, clearly you want to have the threat fees that are relevant to you and perhaps your own your own threat posture.

Naran McClung [00:30:24]:
So there’s a big investment there, but we have the economies of scale of a of an MSP that can spread that cost over all our customers, which I think is a huge advantage. Other platform costs for us. I mean, I’ve sort of touched on our work with with Gen AI. It’s refreshing, though, actually. So it’s very inexpensive for us to eke out those advantages. And I talked about how we’ve been able to reduce our mean time to respond down to to 2 to 3 minutes. It cost us very little to do that, from an infrastructure perspective. Obviously, the innovation and skills required to build that solution took architects and product people time to do that.

Naran McClung [00:31:02]:
So, again, it’s not to say that it’s impossible for an in house SOC to do that, but it’s just an investment in time and focus. And we’re lucky enough, I guess, to to have the people and the time to invest in that. So all of these things sort of form a picture of platform for us, and that’s before we look at the the people and process side, of our service offering. But it is a big investment, but it’s necessary, for us to to keep our customers safe as well as to attract new customers to our business.

Karissa Breen [00:31:30]:
Let’s now flip over to in house and benefits. Again, I got a couple of points on this. So keen to hear your thoughts. So maybe let’s start with the first one. So faster outcomes because of understanding business objectives. I think you mentioned before around being more culturally aligned, and the requirements. So talk to me a little bit more about this.

Naran McClung [00:31:47]:
Look, if an in house SOC is is sort of sitting side by side with their product teams, their project teams, etcetera, and if they’ve adopted good practices, secure by design, whether you’re interfacing with relevant security skills and expertise, then they’re in good shape. Right. And they’re hopefully making the right decisions at the right time and and feeding that into this sort of their in house SOC capabilities. Culture is important. We work very hard, certainly as an MSP to try and align best to the culture of the customers that we have. It’s not surprising to me that sort of over 80% of our SOC customers are also managed service customers for infrastructure public cloud as well, because really, what’s the point of having an amazing flashing red light if someone isn’t around at 2 or 3 in the morning to affect change? So that’s sort of one way that we help to address that, I think, is taking on that additional responsibility. But certainly of the in house SOC capabilities that we’re aware of and particularly within enterprise, particularly, they can do a good job of embedding themselves within business, making themselves known, being very helpful, obviously, striving to never be a barrier, this sort of adage that security puts the brakes on things all the time. It doesn’t have to be like that at all.

Naran McClung [00:32:59]:
I think good culture internally can overcome that with the right attitude, certainly, and and the right skills. So there’s pros and cons either way, but certainly an in house SOC can embed themselves in business and make themselves very helpful. I think that’s a strength.

Karissa Breen [00:33:13]:
Okay. And the other point that I have here as well is developing retained skills within the business. What’s your view then on this point?

Naran McClung [00:33:20]:
Look, security skills, people, expertise, they’re hard to come by in Australia. I don’t think it would be a surprise to you that every organization, every MSP is desperate to find the right security skills that they need, whether they’re going to outsource them or provide for them in house. You know, CISOs are in short supply. Skilled SOC analysts are in very short supply. I’ll look at what we do to attract staff. I mean, we work really hard. We work with universities across Australia. We have a fantastic graduate program.

Naran McClung [00:33:53]:
We we spend the right amount of money too. Let’s be honest. We have to you have to pay for these people. They’re a special breed too. So our SOC analysts, much like our infrastructure and Azure Cloud Architects and product people, they want to be students of the game. They want to apply their craft. So it’s prudent for our business to create an environment where they’re exposed to the customer scenarios, the use cases, the problems, the projects where they can flex their intellectual muscle and and really demonstrate their skills and capability. And I think about my working relationship with our senior SOC analysts and product people constantly feeding them new ideas and vice versa.

Naran McClung [00:34:34]:
They’re testing ideas with me. I have the the pleasure of being able to go out there in market and test ideas through customer lunches and events that we host, etcetera, where I can play ideas and get feedback and bring that back to the product people who then can prioritize developments of new modules and capabilities. And I think that’s critical to staff retention. I think our SOC analysts love that that we have a fantastic customer base that’s growing every single month. They know that they’re gonna have new and interesting things to work on. I think in house, it’s a similar sort of challenge too. Right? I think an in house SOC analyst, SOC architects, product people, etcetera, they want to apply their craft. So I think, like anything, you obviously need to water water these people, pay them the right amount of money and keep them intellectually stimulated.

Naran McClung [00:35:22]:
Right. Because it’s such a niche discipline. And I think when you’re lucky enough to find the people who have a passion for it, you should hang on to them with all the sort of all the love and attention that they need.

Karissa Breen [00:35:34]:
So one thing I wanna ask you as well is if we sort of zoom out, so we obviously discuss, you know, docs in, you know, in house, outsource, etcetera. But for people listening, what should people be looking for if they’re going through a provider that’s potentially outsource their capability? And then also, what sort of questions should they be asking as well?

Naran McClung [00:35:52]:
I would encourage I’m a huge believer in transparency. I really am. And I mean transparency every step of the way. So transparency in cost, transparency in people. Come and see the SOC. Come and see it working. Have a look at the dashboards. Have a look at our capabilities.

Naran McClung [00:36:10]:
Have a look at our threat intelligence. Watch us manage incidents, all of these things, right, that just really immerse yourself in it. I would recommend any any business out there seeking an outsourced software provider, if they’re not being completely open and transparent, they can’t showcase each and every aspect of the service. They can’t offer a sense of assurance of of what it’s going to cost and what it may cost in the future, etcetera, or what’s going to influence cost to now ingestion and seeing platforms and alike, all those things that that contribute to the overall cost of the service. Get deep on it. Right. And seek out an MSP who’s prepared to expose and show you all aspects of what they do. It’s one aspect of the job that I love.

Naran McClung [00:36:54]:
We’re super proud of what we do. We love talking through how we build the architecture, how we architect modules, how the service works, the inputs, the outputs, etcetera. Fail fast is a critical part of our service too. If we introduce a new feature capability and it’s not performing for us, talk about it. Right? Drop it. Move on to the next thing. These are the things that you want. I think openness, transparency, and a soft that’s prepared to to evolve.

Naran McClung [00:37:19]:
And we we’ve touched previously as well on on the touch points too. And if your SOC provider says they’re only gonna reach out to you once a month, well, is that right? And should you be hearing from the SOC more, and should they be more active, and should there be different channels of communication? That would be my

Share This