Ian McShane is the field CTO at Arctic Wolf, a cybersecurity company that provides managed detection and response technologies for small and medium-sized businesses.
The Minnesota, US-headquartered company’s solutions are used by organisations ranging from the healthcare sector to manufacturing.
Founded in 2012, Arctic Wolf raised $150m in a Series F funding round in July, valuing the company at $4.3bn.
McShane has more than 20 years’ experience in cybersecurity and operational IT, previously working at Gartner, Symantec and CrowdStrike.
In the latest Q&A in our series, the Arctic Wolf CTO explains how video games inspired his interest in tech, why the next two years will be the “coming of age” for cybersecurity and why he sees “.ai” domains as a fad for wooing investors.
Rob Scammell: Tell us a bit about yourself – how did you end up in your current role?
Ian McShane: Oh boy, it’s been quite a ride from starting out in an ISP’s call centre doing consumer tech support at the turn of the century to spending a decent chunk of my career at the forefront of cybersecurity with a number of vendors. Despite a few years in product leadership and some aspects of marketing, my roots were forged as a practitioner and that’s the angle I bring to work with me.
I always ask: How can I help organisations improve their security, and how can we eliminate the things that are painful as front-line practitioners?
Where did your interest in tech come from?
I think it stems from being a video games nerd! My primary school in the late 1980s somehow had a bunch of BBC Micro and Archimedes computers, and if you knew how to use them, you were allowed to play educational games instead of attending what in comparison were other boring lessons.
My love of tech then carried on through my teen years when I found the bulletin board scene and coding. Fun fact: when I left school in 1996 my Record of Achievement even said that I planned on becoming a software engineer.
Which emerging technology do you think holds the most promise once it matures?
The cliché answer is of course something about using machine learning (ML) and “AI”, so I hope I’m not insulting my data science friends when I say that I’m fed up of hearing the same promises of AI being the saviour of everything in cybersecurity.
Where I do see the promise is in ML processing and classifying vast amounts of security event data faster than humans ever could. Especially as after years of largely unfulfilled marketing promises, we are finally seeing the industry begin to be able to remove alert fatigue misery. This sings to my practitioner background!
How do you separate hype from genuine innovation?
I look at the outcome, not the words or language. In an industry dominated by marketing buzzwords, it’s easy to get lost among similar-sounding capabilities and renamed or rebadged things. You only need to look at the current trendy terms like XDR, and the fad of adding “.ai” to your domain name as a way to build your hype for investors and Wall Street, to see it happening.
What one piece of advice would you offer to other CTOs?
It’s really, really tempting to focus on innovation and the bleeding edge (and don’t get me wrong, that’s so much fun to work on!) but the reality is that most organisations, and huge parts of your target market, are often three or more years behind the curve.
If you want to deliver capabilities that delight your users and customers, you have to consider how they are going to adopt and use them and make sure that you don’t punish or alienate customers that aren’t as sophisticated as your biggest cash cow.
What’s the most surprising thing about your job?
I’m only a few months in so as I learn more about Arctic Wolf and my colleagues there’s a lot that is surprising. And, as I look at my notes from customer conversations, I can say that it’s less surprising and more shocking that so many organisations report the same types of issues that have been around for over a decade (I’m ageing myself here!)
What’s the biggest technological challenge facing humanity?
The easy and short answer is climate change. It’s an area I’m continuously trying to educate myself on. We’ve already started to read about the massive power consumption issues that come with technological advances like blockchain coin mining. As our industry gathers more and more data, I wonder if our reliance on processing power is going to have a similar impact?
What’s the strangest thing you’ve ever done for fun?
This is the hardest question by far! I guess “strange” can be pretty subjective so I’ll say constantly getting tattoos seems strange to some people. Every time I’m in the studio for something new I joke with my tattooist friends that “getting tattoos is stupid” but I’ve got a strange addiction to it and although the process is arduous, I’m almost always happy with the outcome.
What’s the most important thing happening in your field at the moment?
Sadly the most important thing is not necessarily positive right now. I see a lot of organisations exposed to the true risk of the threat landscape when they get infected by ransomware.
The headlines always talk about nation states and so-called advanced threats but the reality is that most incidents and attacks are opportunistic and not targeted. As we see with large attacks such as Kaseya, organisations can do everything right but still get compromised due to something outside of their control.
If the pandemic drove 2020 and 2021 to be the time of accelerated digital transformation to cope with the distributed, hybrid work life, then 2022 and 2023 will be the coming of age for cybersecurity. More organisations are taking security seriously. I don’t mean just spending money, but I mean operationalising. I mean holding vendors and suppliers accountable. I mean truly trying to measure their current risk and doing something about it. I mean actually testing their disaster recovery plans.
In another life you’d be?
Honestly, I still can’t believe I’ve been so fortunate to have the career I’ve had so far. I’ve benefited from a huge amount of luck and privilege which I’m trying to pay back (or pay forward) and there is very little professionally that I would want to change.
But, if I could choose another path, it would be as a musician for sure.
It’s fun that so many folks in cybersecurity have a passion for music – almost every Zoom call will have someone’s musical instrument in the background. Sadly, I’m more of a karaoke enthusiast than a musician these days.