Episode 263 Deep Dive: Naran McClung | The Benefits of In-House SOCs vs Outsourcing

[00:00:00] Speaker A: I would recommend any business out there seeking an outsourced SoC provider. If they're not being completely open and transparent, they can't showcase each and every aspect of the service. If they can't offer a sense of assurance of what it's going to cost and what it may cost in the future, et cetera, what's going to influence cost too. Now, ingestion and seeing platforms and alike, all those things that contribute to the overall cost of the service, get deep on it, right, and seek out an MSP is prepared to expose and show you all aspects of what they do. [00:00:37] Speaker B: This is KBCs as a primary target for ransomware campaigns, security and testing and. [00:00:44] Speaker C: Performance risk and compliance. We can actually automatically take that data and use it. Joining me today is Narra McClung, head of Azure Macquarie Cloud services for Macquarie Technology Group and today we're discussing the benefits of in house socks versus outsourcing. So Narren, thanks for joining and welcome. [00:01:03] Speaker A: Yeah, very happy to be here. Thank you. [00:01:05] Speaker C: So I want to structure this interview a little bit differently to what I've done in the past. So maybe before we go for the, not the foreignly against, but maybe looking at both sides I want to explore more. But maybe let's start with your sort of summary on in house socks, but outsource with your experience, with your background, with what you're sort of doing day to day. Be keen to sort of start with that first. [00:01:27] Speaker A: Yeah, sure. Look, I mean, let me start by saying there are many excellent in house socs around Australia. We do come into touch with them from time to time and obviously we maintain a very strong community working relationships with various senior SoC analysts around Australia. Some of those work for in house SoC, some of them work for other MSP's. So we're acutely aware of what's out there. As Macquarie cloud services we obviously maintain a SoC arrangement or outsource Soc arrangement that's very Microsoft centric and clearly I have a view on that. I would say that socks are expensive so if you're lucky enough to have the money, the people and the depth of skills within your organization to maintain a SoC, that's fantastic. Equally though, for mid market corporate Australia that can be challenging. There is a short supply of security expertise across Australia and obviously there's a sort of a minimum cost of investment. If you think of the people required to maintain a SoC and certainly a 24 by seven eyes on glass type SoC arrangement and then particularly with the investments in tech, it's a huge investment for a business. So we're grateful as Macquarie cloud services to have an offering that's suitable for those businesses that can't afford their own SoC. But certainly out there, particularly with enterprise, there are any number of excellent house salt. [00:02:47] Speaker C: Yeah, that's interesting. And especially around like the price side of it and the cost. [00:02:51] Speaker A: Right. [00:02:51] Speaker C: So I've spoken to a number of people over the years in industry saying that, you know, when we're outsourcing something, perhaps they're not acutely aware of some of the costs or how it runs. So I'm curious then to just jump in that first and go a little bit deeper on. Do you think that people aren't really aware like, you know, what do they sort of get for what they're paying for? What are the Sla's? Do you think? There's sort of a lot of confusion around that from your experience? [00:03:14] Speaker A: Look, there's a lot of disparity in expectation. That's the first thing. Quite often when we speak to certainly new prospects, they're desperate to solve a problem. That's a problem that all businesses in Australia recognize that they need to be more astute and on top of their cyber defense. And there's a wide range of expectations. When we look at the needs of a soc or the requirements to stand up a society, clearly we have a view of an MSP and if you really break it down there's people, process and technology. If I just start with technology from our perspective as an MSP, we're seeking to offer obviously a platform that's going to address the needs of, like I said, mid market corporate, lower enterprise Australia and even enterprise customers today as well. It's a very Microsoft centric approach that we're taking, particularly when we look at products like MDR and Defender XDR and capabilities that we bring to bear, but doesn't really stop there. Like for us, it's important that we're able to innovate. It's important that we're able to take that further look at all the work and investment and the product and architecture expertise we have in our business to evolve our threat intelligence capabilities. And then taking that further with what we call our soft digital twin that I'm hoping can expand upon during this conversation leverages generative AI to reduce the amount of noise that a SoC can take in. These are all huge investments in time and in people capability. So for a business to want to embark on that journey on their own, it's a big undertaking. And like I said, many enterprises have done this and done this successfully, but there's a considerable amount of time, money and effort involved to do that. And obviously any sole corporation, once live, doesn't remains static either. It has to go through constant innovation and evolution. As threats change, the landscape out there changes as well. And obviously, the underlying technology that we're protecting, all those inputs that would give us a concise view of threat posture or security posture across organization, they change too. New projects, new services, new demands, and perhaps new risks from the business that then have to be back considered within a SoC. So there's quite a lot in there. The challenge for us as an MSP is difficult enough to stay on top of that, but it's a challenge that we embrace as a business we enjoy. And I think part of the fun for me certainly is getting out there and having conversations with businesses to better understand that sort of more adaptive and agile aspect, the service that we need to bring to market. [00:05:51] Speaker C: You mentioned before, Narren, about expectations. So what do people sort of expect? Now, I'm curious to hear your thoughts, because, again, sometimes when, depending on who you're working with, if you don't know, you don't know, sometimes the expectations are higher. Sometimes people just are unaware. So what are some of the things that people expect of outsourced stocks? [00:06:10] Speaker A: Almost universally is that the service is 24 by seven. That might sound silly, right, but it's not unheard of. We've seen other socks, sort of a business hours type capability, in my experience. Certainly within our customer base, they want to know that they're protected all the time. That's very logical, isn't it? You know, you wouldn't want the service to stop. And two or three in the morning, for example, cyber attackers know, okay, well, the SoC service isn't operational, so let's go. Right. So 24 by seven is critical. So you need eyes on glass. You need to know that your mean time to respond, which is a critical metric, is within an acceptable SLA now within our business. And certainly, if I look at, say, industry best practice would say that if you have a mean time to respond of around seven minutes, you're doing very, very well. We're hovering somewhere around two or three minutes at the moment, taking advantage of that generative AI and OpenAI capabilities that we built our SOC. That's just one example of us meeting one particular expectation. The second expectation, or another one, I should say, is, do you have good coverage of the business? So if you think about what a SOC is, at the heart of any SOC is a c, right. It's a security information, event management platform. And like any platform, it's only as good as its inputs. So it's very important that when we take on a new relationship with a customer, we onboard them, that we have the right feeds from within the business to give us a really accurate portrayal of their threat posture and their security posture. And that way when we take threat feeds. So as a top down approach, threat feeds from all the different industry feeds that we integrate with ASOC, that we can correlate those with meaningful touch points within the business. So the scene platform itself is only as good as those inputs. It's critically important that we work closely with the business to ensure that we have all the right insights from business, their services, their technology, et cetera, such that we can have an informed opinion on any given day of whether they're exposed to risk. And that's another huge expectation. Now I've touched on innovation already, so that is another big expectation too. And that is that our service can't be static. And our approach to that to date is that we introduce new modules. We have a very modular architecture. I'll give you two examples of new modules that we'll be bringing to market, one of which is bringing breach attack simulation, similar to almost like a pen test type remit, which is that you're constantly testing, testing the boundaries, testing the limitations, looking for holes, looking for gaps in threat posture. That's really important. You think week to week our SoC is looking to improve security posture and improve security score. We're looking to plug holes, we're looking to plug boulders all the time. But equally we shouldn't rest on those laurels. Breach attack simulation helps us to stay honest to that remit and look for those extra risks. And additionally to that, we've got dark web monitoring. You've probably noticed this too. If you're using Office or Microsoft 365 or perhaps Google suite of applications, from time to time you might get an email saying hey look, you've used a password on an application out there on the Internet, perhaps a social media app or something that's been breached. And that same password relates to other services that you have in play and those have been exposed or found in the dark web. That's something that our SoC is taking on. And the fun fact for your statistic, and I mentioned this yesterday in another event that I was hosting. So it's the percentage of prospects and customers alike where we've looked in the dark web for compromised credentials. What do you think the percentages of those customers and prospects are like? Where we found credentials in the dark web, open question for you. [00:09:54] Speaker C: Oh, I don't like this question. I'm going to say 50% in the middle. [00:10:00] Speaker A: It's 100%. Yeah, 100%. Now, some of that is. So what some of that is, you know, your name, your mobile, your email address, for example. Right. That does fall part of your identity. But 100% of the organizations that we've worked with, we can identify that a degree of their identity, their information exists in the dark web, which is pretty scary. Now, clearly there's a malicious side to that too, and there's an escalating level of concern on a case by case basis. But it's a critical part of our service, offering to work with our customers and ensure that if they are compromised in that context, that we can then beat that back and work with them to address it. [00:10:37] Speaker C: Okay, I want to get back to something you said before, which I found interesting because I was talking to someone in the industry said around the 24 by seven or follow the sun model as people talk about now, would you say, and I guess this is always dependent on who you're working with, would you say that? Because obviously, you know, Shane's not going to work, you know, 24 by seven. So sometimes people, you know, outsource or they piggyback off another stock elsewhere in the world before the sun model, you find some quality goes down, though, in terms of like, oh, okay, well, now we're switching over to the team overseas. Are you seeing any of that? Now I asked this question because I speak to people in industry all the time and I'm hearing a little bit of that. So I'm keen to get your thoughts. [00:11:14] Speaker A: It's very case by case, but I want to give you an answer. I don't just want to sit on the fence. Look, I would say in my experience, we've followed the sun, where service tends to track around the world. My personal experience of that is it's been a fairly poor experience. There are examples where I've seen it work well. So, for example, in working with Microsoft on critical events, particularly when I was working out of London, for example, on a critical issue, I have seen that work successfully. Now, I would say that's hugely expensive and that is sort of one example where I've seen it work. On the whole, though, I'd say general perceptions are in line with what you've said and that tent service can tend to drop off a little bit because you've got hand as well. You think the effort that you put into establishing an incident, getting the right people on making sure they understand the context and the sensitivity, all the moving parts. They've analyzed the logs, etcetera, to hand that over in anger, particularly when you are stressed and it's a, a high profile situation for you or the customer, there's always a little bit of overlap and downtime. Right. So the experience is already strained straight off the back. And yes, global organizations will argue that it's possible to do that efficiently. In my experience, it comes at a cost. So I think if you're in a position to offer a sovereign capability that is genuinely 24 by seven and without compromise, I think you're in a strong position. [00:12:35] Speaker C: So if someone called you up and said, okay, Narren, well, we're a business, manufacturing business or whatever it is, and we have to do it 24 by seven, how would you advise someone to run that effectively? [00:12:44] Speaker A: Right. [00:12:44] Speaker C: Because you make sense in terms of the handoff and, you know, multiple people are involved. Maybe there's three different parties that are managing this 24 by seven. Right. How would you advise someone to do this? That way they are getting the outcome, they're not let down, and they're satisfied with the, with the service. [00:13:00] Speaker A: Yeah, good question. Good question. So I think you've, you've really got to capture the essence of the problem and ensure that that data is shared well in advance when you need to do the handover, the other team. So a really excellent problem description, obviously, access to all the relevant artifacts and logs, etcetera. You want to really front load that before you hand over to new teams and new individuals. That's really the only fighting chance you've got to do that in an ideal situation, before handoff, you get a representation from the new team, let's say within an hour or 2 hours of handover, such that they can get a sense of how the call's going, get a sense of context and some of the criticalities of what you're dealing with prior to Handover as well. And for me, these are all just, you know, ways in which you can reduce the burden of handing over to a fresh team. You don't want them to be entirely fresh. You want them to be informed such that they can pick the baton up and be effective as fast as possible. [00:13:55] Speaker C: Now, the other thing I want to ask you as well is SLA's now, again, big industry. All the time I was talking to someone literally probably a couple of weeks ago, and they are using a outsourced capability and the SLA's was raised and then how they were sort of structuring the SLA's was like, well, when we, when we understand more about the alert, that's when the SLA sort of starts from memory rather than when the alert sort of happened, which wasn't effective. Right. So I'm curious then to hear on your thoughts around this murkiness around SLA's and therefore you're going to get in this conundrum a little bit. So of course the client was like, well, it doesn't really work for us because what happens if your guy doesn't see this alert for four days or, you know, multiple hours? So I'm seeing a bit of that. So I want to sort of debunk and demystify that theory. [00:14:42] Speaker A: Yeah, sure. All right, so look, within any SoC you'll have SoC analysts, sometimes multiple tiers of SoC analysts, but let's use the term SoC analyst more generally. You want the SoC analyst to be working on a meaningful incident as fast as possible. That's the key. Now, as with infrastructure monitoring, cloud services monitoring, there's an incredible amount of noise that you need to filter out. So before a SoC analyst has a fighting chance to respond or triage, typically there's a raft of noise that you need to mitigate out and you need to make sure that any sort of hallucinations or false positives or anything else have been removed before a SoC analyst is forced to engage with something. So we look at two key metrics. We look at mean time to respond and mean time to triage to give our SoC analysts a fighting chance to work on the right incident at the right time. We've spent an incredible amount of time creating what we call our Soc digital twin, which is our Azure OpenAI develops capability that filters out the noise. Now we have obviously human resources looking at that process end to end to make sure that we don't miss anything. And it's constantly retrained and the model is retrained as we go. For us, if you can, like I said, if you can get the SLA to seven minutes or less, you're doing better than industry. Best practice on me. Time to respond, which I think is critical. And then once our SoC analysts are reviewing an incident, you want to make sure that they can enact quickly. So most of our customers, I would say 80% of our SoC customers, are also managed service customers for the underlying infrastructure and services as well. And if it's public cloud that relates to Azure, why is that important? You want to be able to affect change really, really quickly. So if you've done a good job of filtering noise you've got that meantime to respond down to seven minutes or less, and in our case sort of two or three minutes, you're doing very, very well. And then when it comes time to perhaps stop a lateral movement or effect change very quickly, if you are also managing the underlying services, you can do so providing you have the right governance in place and the right capabilities. I think that's putting you in a very, very strong position. [00:16:48] Speaker C: But then just asking a little bit more on that because these things are important. Again, this is coming directly from industry people that are working in these functions internally. The other thing I've heard of as well is companies coming out and saying that they've got this Soc capability, but it's maybe half an analyst for half a day, a week or something like that. So they're not really offering the capability. Have you seen a bit of that and what's going on there? [00:17:10] Speaker A: Yeah, look, there used to be this sort of adage that if you didn't hear from your soft provider, that must mean everything's okay, right? Because you'd only hear from them in the event of an incident. I think the opposite of that is true. I think you should hear from your Soc on a regular basis. And this notion that you're safe just because you pay someone or it's somebody's responsibility to look at it is false too. If you. A couple of really good examples here. So in the last 18 months when we have been onboarding, so our onboarding experience could take on average somewhere between three to four weeks. It can be longer for a, a bigger enterprise customer. Sometimes it could be shorter too. It could be less than two weeks if you're sort of a smaller mid market customer, let's just say three to four weeks. Twice in the last 18 months through onboarding, we have picked up on live incidents, as in live cyber breach within a customer environment that they had no idea was ongoing. So a statistic for you, and we work very closely with a number of leading security experts around the country. He's a fountain of knowledge that relates to stats. And a key stat that he said to me was that on average, it takes a business 281 days to realize they've been breached. 281 days. Let that sink in. So in our experience in the last 18 months with two customers that we were onboarding and our service wasn't even live, right, so we haven't even properly stood up the service. We didn't have the right people. Eyes on glass, all of that was still going through. We managed to pick our live incidents and those, both of those customers had outsourced soccer arrangements. They assumed they were safe. They assumed everything was, was okay, and the opposite was true. And then we had to immediately spring to action and mitigate what would have been material risk to those businesses. [00:18:47] Speaker C: So you mentioned before. So thank you for sharing that example. You mentioned before that customers should be hearing from the outsourced stock regularly. So define regularly, because I know it depends. Just give me a bit of a number or what does that look like? So people sort of know, like, hey, maybe the company we're using, we hear from them once every six months. Maybe that's bad. [00:19:07] Speaker A: Well, yes, sure. Look, contact can occur across any number of different mediums, right? It's not. I'm going to paint a picture that our soc gets on the phone every 15 minutes and badges the hell out of our customers. That would annoy them no end. So I'm not describing a scenario like that. What is normal, though, is certainly weekly contact whereby we can talk through incidents that we've managed. We want to talk through our adherence to the SLA's. But better than that is how are we improving your security posture? How are we improving your underlying cloud posture as well? That's an ongoing discipline. How are we patching vulnerabilities within your environment? If I look at all the dashboarding that we provide our customers as well, and we've got like something 50, 60 different power bi driven dashboards that we make available to our customers, that's a form of contact too. Now, I'm a firm believer in sort of trying to move away from static reporting. I'm not a big fan. I mean, certainly customers do ask us to produce static reporting summaries of our service and things that we've done, and that's fine if that's what they need, perhaps with their own management tiers within their business. But what I'm more fond of is live digital timelines of change where we can, on any given day or week, showcase everything that we're doing. Proactive change, new modules, new service evolutions to how we manage underlying services, particularly as relates to cloud governance. How are we tracking with deployments if we're doing a defender XDR deployment? Is everything running as it should, etcetera? So this is, it's a constant living ecosystem of service and capability and agents and ways in which we want to let our customers know that we are working. We are constantly improving, and we are constantly evolving the threat posture within an organization. So I think it's important to surface that up. I think it's important to obviously email out summaries to customers of things that we've done. Obviously, regular cadence of meetings is important. The customer gets to set the tone and pace of those meetings as it relates to them. New projects are obviously always interesting. This idea is sort of secure by design. Clearly we work closely with our customers as they deploy new technologies and there's a security lens to each one of those projects. Our SoC team should be involved there and determining what impact those new services or applications or projects have on their SoC corporation. So what do we need to consider? And that's another example of contact as well. So SoCs are active, right? They're an active part of the business. It's not just something that sits there and you wait until the big shiny red light starts flashing. There's a much more proactive nature to the service and I think as a result of that, contact needs to be more regular. [00:21:47] Speaker C: Okay, now that we've discussed the summary, which has gone into detail, I do want to get into maybe some of the outsourced benefits just from your perspective. So maybe let's start with one of the ones. Is no migration required so teams can focus on other work? Maybe your two cent on that would be great. [00:22:04] Speaker A: Okay, look, we do come across this clearly. So if there's an existing SoC capability, either in house or perhaps with the outgoing outsource provider, there's a transition to service as it relates to a transition to our services. For example, in my experience, the technology is the least of your worries there. If you're a good MSP and one that's adopted technologies like Soar and automation, and you've got well defined run books within your business, I think you can conduct really efficient onboarding experiences. But certainly there is a transition workload that needs to be undertake it. I think it's a misconception that this needs to be a six to nine month exercise. By the way, I think there's some consulting organizations out there in Australia making a hell of a lot of money telling businesses that these things are people heavy and they need to take a huge amount of time. I don't think that has to be true. Like I said, the example for us in our onboarding experience, if you've done the hard work on automation, you can get onboarding down to three to four weeks on average, and there's no reason for it to take longer than that. Beyond technology, it's the business rules really that are important, right. So if you are transitioning from one sort to another, you want to make sure that you capture those, those well defined or those business rules that are deemed to be valuable by the customer that should transfer over. Now, clearly there's an argument, you know, if you have an in house SoC, you don't have to worry about that. Well, there's still an investment in standing up the surface, too. So whether it's outsourced or insourced, any good SoC operation has to take those top down inputs as it relates to threats, those bottom up inputs as it relates to security posture and making sure that you capture the essence of a business sufficient to correlate to threats. There's an investment in time there. There's an investment in time in building out those run books as well, to make sure that you can be effective in responding to incidents. So you can go either way. You really can. I think there's a burden on an MSP to be really efficient at doing that, because clearly it can be a barrier. Right. If we come across a customer who's reticent to embark on that transition, it's on us. That's prudent. For us to be able to tell a story that we can do so efficiently with minimal downtime, I think that's critical. [00:24:11] Speaker C: So hang on, I want to go back a second. So you're saying companies out here in Australia are saying six to nine months on board, and you're saying four weeks. What are these people doing in six to nine months? [00:24:21] Speaker A: Making money. [00:24:22] Speaker C: Well, that's not a good thing. If they're saying something takes that long, that's. That's almost a year. [00:24:28] Speaker A: That's right. Look, I don't want to name in shame. It'd probably be counterproductive for me to do so. But let me just say that there's consulting organizations out there. It's their bread and butter to make money on the people required to push that out. We don't charge for onboarding in our business. Like, there's no accent. There's no concept of paid professional services within our business. We feel like we earn the right to be the managed service provider. We earn the right to be the outsourced SoC provider by doing a very efficient group job of onboarding, and we don't charge for it. Now, in any business, if you don't discreetly charge for something, you inherently efficient at it because you want that service to be stood up. And if I'm honest, you want to be able to charge a customer for a service that's live and fit for perfect. So we deliberately don't charge for that. And I think it's refreshing for our prospects and customers to be able to take that on and sort of demystify the time it takes to do that, particularly if we're not trying to sort of make undue money from the customer in the process. I just, I don't agree with that as an approach. [00:25:29] Speaker C: Absolutely. And I think that that's what's important about. So if someone is listening to this and that's what's happening to them, maybe that this is going to give them an awareness that probably, you know, there's a bit of fabrication going on there instead of timelines. So okay, I want to move then on to, again following the outsourced side of things, limited agility. So platform is managed by a third party. Maybe walk me through your thinking here. [00:25:53] Speaker A: Okay, let's try and play both sides. So within our business, I know that we have to be relevant. We have to be relevant to mid market corporate enterprise customers, which means our service has to evolve. I gave you a couple of examples of how we introduce new modules to service on a periodic basis. That's one example of how we try and stay agile as it relates to depth and capability of service. And in house SoC perhaps doesn't need to cover perhaps as many use cases we do, given the wide array of customers and different demands that are placed upon our SoC corporation. So perhaps an in house SoC is maybe required to be less agile. Perhaps. Or maybe also they have an advantage of being more culturally aligned to their business, in that if they're working very closely with the same product teams and business units, for example, then they can build a SoC that's perhaps tailored to those needs. I'm sure I'm answering your question there, but I know agility for us is about staying relevant in market and making sure that our service is attractive to new customers as well as addressing the risks of our existing customer. Whereas for an in house Sock, they've probably got less moving parts to deal with. [00:27:06] Speaker C: How do you stay relevant in market? And you mentioned something before around not resting on laurels, which I 100% agree with. I think there are a lot of people out there resting on laurels. So I'm keen to see what does that then look like from your perspective? [00:27:16] Speaker A: We operate in a competitive market, so you know there are other MSP's that profess to do a good job. It's my job to convince prospects and customers that what we do is industry leading. We work super closely with Microsoft. If I look at how we try and differentiate ourselves as a Microsoft security provider, I think we're the only Azure expert MSP that's a member of Microsoft's Intelligence Security association. We know that all our SoC analysts are participants in various communities around Australia, some of which they chair, which means they get fantastic industry feedback. It's a funny thing too with the SoC. Some of your best work is the work you do in managing live cyber incidents on behalf of your customers and live breach. And yet it's the work we can't often talk about. We'd love nothing more than to be able to stand on top of rooftops and say, hey, for this customer, this risk in this time we did all this wonderful work. Clearly it's sensitive information and our customers wouldn't want us to speak of them in that, in that fashion. But it's the burden of any sock. I think best work they do is the work they can't speak about. But I know our standing with Microsoft, I know our expertise with Azure, the skilled people that we hire and retain within our business, and the exposure to projects that we give them to houses to retain them as well, which is super important. All of this gives us the ability to innovate, I think, in unique ways. I know our work with the engineering teams in Microsoft and product group, and you think about who Microsoft is in the security space, world's largest security vendor. So they see things that other security vendors don't, at least on the same scale. And if we're in the best possible position to take advantage of those insights, plus our own insights from our own customer base and the community is that we work with, then on any given day, week, month, year, etcetera, our roadmap should reflect the innovation necessary to stay relevant within our customer base as well as to attract new customers. And look, it's, it's part of what I love, you know, it's part of what our teams love. Our architects, our product people, they live for this. So we're in a really strong position to keep those people happy and stay on the front floor. [00:29:28] Speaker C: Okay, so let's keep moving forward on the outsourced side of it. So increase platform overhead cost. What are your thoughts on this one? [00:29:35] Speaker A: There's a lot in it. So if I look at our own platform costs, and I've given you sort of an example of threat intelligence, so threat intelligence for us is sort of manifest in 40 to 50 paid for threat feeds that come into our SoC. This includes our working relationship with the ASD as well. Fun fact is, over the last 20 years doing sop to for, I think about 43% of federal agencies in Australia as well. We have a huge investment in threat intelligence as part of our SoC. We spend hundreds of thousands of dollars on threat feeds every month and all our customers benefit from that. If you are maintaining a SoC internally, clearly you want to have the threat fees that are relevant to you and perhaps your own threat posture. Theres a big investment there. But we have the economies of scale of an MSP that can spread that cost over all our customers, which I think is a huge advantage. Other platform costs for us. I mean ive sort of touched on our work with Genai. Its refreshing though, actually. So its very inexpensive for us to eke out those advantages. And I talked about how weve been able to reduce our mean time to respond down to two to three minutes. It cost us very little to do that from an infrastructure perspective. Obviously, the innovation and skills required to build that solution took architects and product people time to do that. So again, it's not to say that it's impossible for an in house SoC to do that, but it's just an investment in time and focus and we're lucky enough, I guess, to have the people and the time to invest in that. So all of these things sort of form a picture of platform for us and that's before we look at the people and process side of our service offering. But it is a big investment, but it's necessary for us to keep our customers safe as well as to attract new customers to our business. [00:31:30] Speaker C: Let's now flip over to in house and benefits. Again, I've got a couple of points on this. I keen to hear your thoughts and maybe start with the first one. So fast outcomes because of understanding business objectives, I think you mentioned before around being more culturally aligned and the requirements. So talk to me a little bit more about this. [00:31:47] Speaker A: Look, if an in house Soc is sort of sitting side by side with their product teams, their project teams, etcetera, and if they've adopted good practices, secure by design, where they're interfacing with relevant security skills and expertise, then they're in good shape, right. And they're hopefully making the right decisions at the right time and feeding that into their in house SoC capabilities. Culture is important. We work very hard, certainly as an MSP, to try and align best to the culture of the customers that we have. It's not surprising to me that sort of over 80% of our customers are also managed service customers for infrastructure and public cloud as well. Because really, what's the point of having an amazing flashing red light if someone isn't around at two or three in the morning to affect change. So that's sort of one way that we help to address that, I think is taking on that additional responsibility. But certainly of the in house societies that we're aware of, and particularly within enterprise particularly, they can do a good job of embedding themselves within business, making themselves known, being very helpful, obviously striving to never be a barrier. This sort of adage that security puts the brakes on things all the time. It doesn't have to be like that at all. I think good culture internally can overcome that with the right attitude certainly, and the right skills. So there's pros and cons either way. But certainly an in house SoC can embed themselves in business and make themselves very helpful. And I think that's a strength. [00:33:13] Speaker C: Okay. And the other point that I have here as well is developing retained skills within the business. What's your view then on this point? [00:33:20] Speaker A: Look, security skills, people expertise, they're hard to come by in Australia. I don't think it would be a surprise to you that every organization, every MSP is desperate to find the right security skills that they need, whether they're going to outsource them or provide for them in house. You know, sisos are in short supply, skilled SoC analysts are in very short supply. But look at what we do to attract staff. I mean, we work really hard. We work with universities across Australia. We have a fantastic graduate program. We spend the right amount of money too. Let's be honest, you have to pay for these people. They're a special breed too. So our Soc analysts, much like our infrastructure and azure cloud architects and product people, they want to be students of the game. They want to apply their craft. So it's prudent for our business to create an environment where they're exposed to the customer scenarios, the use cases, the problems, the projects where they can flex their intellectual muscle and really demonstrate their skills and capability. And I think about my working relationship with our senior Soc analysts and product people, constantly feeding them new ideas and vice versa. They're testing ideas with me. I have the pleasure of being able to go out there in market and test ideas through customer lunches and events that we host, et cetera, where I can play ideas and get feedback and bring that back to the product people who then can prioritize developments of new modules and capabilities. And I think that's critical to staff retention. I think our Soc analysts love that, that we have a fantastic customer base that's growing every single month. They know that they're going to have new and interesting things to work on. I think in house, it's a similar sort of challenge too, right? I think an in house Soc analyst, socites or product people, etcetera, they want to apply their craft. So I think you like anything, you obviously need to water these people, pay them the right amount of money and keep them intellectually stimulated, right? Because, because it's such a niche discipline. And I think when you're lucky enough to find the people who have a passion for it, you should hang on to them with all the sort of all the love and attention that they need. [00:35:34] Speaker C: So I'm going to ask you as well, is if we sort of zoom out. So we obviously discuss, you know, stocks in, you know, in house outsource, et cetera. But for people listening, what should people be looking for if they're going to a provider to potentially outsource their capability? And then also what sort of questions should they be asking as well? [00:35:52] Speaker A: I would encourage, I'm a huge believer in transparency. I really am. And I mean transparency every step of the way. So transparency in cost, transparency in people, come and see the SoC, come and see it working, have a look at the dashboards, have a look at our capabilities, have a look at our threat intelligence, watch us manage incidents, all of these things, right? Really immerse yourself in it. I would recommend any, any business out there seeking an outsourced SoC provider, if they're not being completely open and transparent, they can't showcase each and every aspect of the service. If they can't offer a sense of assurance of what it's going to cost and what it may cost in the future, etcetera. What's going to influence cost, too? No ingestion and seeing platforms and alike, all those things that, that contribute to the overall cost of the service, get deep on it, right, and seek out an MSP is prepared to expose and show you all aspects of what they do. It's one aspect of the job that I love. We're super proud of what we do. We love talking through how we build the architecture, how we architect the modules, how the service works, the inputs, the outputs, etcetera. Fail fast is a critical part of our service, too. If we introduce a new feature or capabilities and it's not performing for us, talk about it right, drop it, move on to the next thing. These are the things that you want, I think openness, transparency, and a soc that's prepared to evolve. And we've touched previously as well on the touch points too. And if your SoC provider says they're only going to reach out to you once a month. Well, is that right? You know, should you be hearing from the SoC more? Should they be more active and should there be different channels of communication? That would be my retirement. [00:37:42] Speaker B: This is KBcast, the voice of cyber. [00:37:46] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:37:54] Speaker B: This episode is brought to you by Mercset, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out [email protected]. today.