[00:00:00] Matt Duench: Welcome to Mistaken Identity, a podcast about unexpected lessons for building great products that customers love. I'm Matt Duench. Today I'll interview Dan Schiappa, Chief Product Officer at Arctic Wolf. We'll talk about authentication tools, understanding what's at risk if you don't use them, and understanding the power of a platform. How you build protections for your customers. Protect customer identity, as well as uncover suspicious activity.

[00:00:26] Matt Duench: Well, welcome to today's episode of Mistaken Identity. Today I'm excited to be joined by Dan Schiappa, who's the Chief Product Officer at Arctic Wolf.

[00:00:35] Dan, welcome to the episode.

[00:00:37] Dan Schiappa: Thank you for having me. I'm, I'm super excited to be here.

[00:00:39] Matt Duench: Yeah, we're really excited to have you. For the folks who aren't familiar with Arctic Wolf, maybe give us a bit of some insight into, uh, what, what it is that Arctic Wolf does.

[00:00:48] Dan Schiappa: Yeah, so I mean, historically Arctic Wolf has been known for being one of the early pioneers of the M D R business and kind of helping organizations didn't have the means to really kind of manage and, and connect all their different security. Resources together into one consistent view. And I think over the years we've kind of migrated into a broader offering that we call the Security operations Cloud.

[00:01:11] We think it's really important that companies of all sizes have a, a real security operation for them. Rather they can build it themselves in some ca, you know, rare cases I think. Um, but in general to have somebody like an arctic wolf who can provide that for you, it gives you visibility across all of your security assets and everything that's going on.

[00:01:29] And, you know, that's kind of where the attackers are really starting to find seams. In between different various security products and, and really without being able to connect all that visibility together in one overall view, it's tough. And so we've kind of played in that role and we've expanded our offerings from m D R into things like, uh, managed vulnerability, uh, we call it managed risk.

[00:01:49] We have, uh, security awareness training, incident response, cloud security, uh, and a and a whole bunch of other things that really kind of fill out that overall security operations cloud.

[00:01:58] Matt Duench: That's amazing. Thanks for that background. And I think about your role as a Chief Product Officer at Arctic Wolf, and you mentioned a couple of the product suites and families, obviously, that Arctic Wolf offers to their customers. What, what are some of your responsibilities, your day-to-day like?

[00:02:12] Obviously the day in the life of is, is sometimes challenging, but what would you say that your, your typical responsibilities are as the chief product officer at arctic wolf?

[00:02:20] Dan Schiappa: Yeah, so you know, it starts with the strategy. It's really kind of owning our product strategy and where we wanna go and, and how we wanna grow the business, and what areas that we think it's important for us to be in. And then kind of mapping that strategy into our execution, into our product planning, into our development.

[00:02:36] Into our, you know, uh, public cloud operations and then also into things like corp dev, you know, going out, finding the right partners, uh, going out, looking at growth through M and A, things of that nature. So it really kind of spans that whole gamut. So I own, you know, product management, engineering, architecture, um, uh, live ops, uh, corp Dev, biz dev, uh, all those things that help us execute against that product strategy.

[00:02:59] Matt Duench: And over the years, I imagine you've, you've obviously, you know, put the focus from a product development perspective and product management perspective on your customers and, and how, you know, you're able to continuously deliver value for them. What are some of the ways you feel that companies can keep customers at the heart of everything that they build when it comes to product?

[00:03:18] Dan Schiappa: Yeah, I mean, it's just really some good old fashioned stuff you've learned, hopefully from, from day one, which is, you know, solve a problem the customer has. Don't just provide technology to a customer. Uh, and so when you have a solution that helps solve a problem they're dealing with, it resonates really well with the customer.

[00:03:36] It obviously works out well for your business. Uh, and then everybody's happy when you, you're building kind of technology for technology's sake. Uh, and it doesn't directly solve some immediate problem with a customer. That's, that's a problem. And I think as part of us, and I think in any industry, but really in security, you know, we are trying to think ahead of our customers.

[00:03:55] So we wanna start thinking about things that maybe they're not worried about today, that we think they're gonna be worried about, but that also, by the time you're ready with that, you're gonna be solving a problem that they need. So you still need to be able to look around corners, understand, you know, where the world's going.

[00:04:09] And for us in security, Sometimes we get lost on thinking about where security is gonna be in the future instead of just thinking about where it and general society is gonna be in the future. And then how we build security mechanisms to protect that. And so, you know, I think that's the, the two key things is solve a problem for your customer and also be out there looking for problems that they don't know they have yet.

[00:04:31] Matt Duench: And given the, you know, just the concentration I think that Arctic Wolf has in terms of your broad customer base, uh, you know, obviously you have operations globally, uh, and as well thinking about the different areas of the product, um, and your solution that you provide to customers, how do you consider balancing, um, that innovation and security together, but also what are some of the trends that you're seeing, really broad trends that you're trying to build for or solve for?

[00:04:57] Dan Schiappa: the thing for us is, is really looking at, um, the, the broad IT landscape. I think one of the challenges that we've had in security is we tend to try and solve, uh, the overall problem, one little piece at a time. So, we'll, some it'll focus on endpoint. Some also focus on firewalls. You know, focus on cloud and you focus on vulnerabilities and, and customers just like want the problem solved.

[00:05:19] And so today, when you come in and you'd say, Hey, I, I, you know, I have a posture management solution, they don't care if it's a cloud posture management or for, it's, you know, based on virtual infrastructure or on-premise. They just want the problem solved. And so I think, you know, we are starting to look at things a little more holistically.

[00:05:34] So when we wanna go in, for example, with a. With a detect and response solution. We don't care where in your. It stack, it's coming from where other vendors will charge, you know, for, for the cloud separately than, than traditional IT and, and virtual it. And it, it, it gets really confusing to customers. And, and at the end of the day, you know, I think security is still a, a very highly prioritized budget item.

[00:05:57] Um, but, uh, regardless, everyone's. You know, they're, they're getting scrutinized over their budgets right now, right? Different people are looking at their budget spend that may have not looked before. And you're starting to see that spend going to kind of the handful of leaders in their respective areas.

[00:06:13] And they just want the problem solved. And so if you come at 'em with, you know, you know, 13 different products or 10 different vendor solution, it becomes too complex for them. And, uh, so that's, I think, where we've, you know, really kind of. Made a lot of inroads with our customers is we have this broad view. We can, you know, through the power of our platform, take any IT security infrastructure they have and make, you know, benefit out of it to them and, and give them one place to come and interface with. And then the way we deliver it through our concierge service gives them almost like a white glove kind of treatment as well.

[00:06:46] So they have a human being, is there available to them to help them, you know, doing security posture assessments up front, but also help answer any questions they have while we're delivering the service to them as well.

[00:06:57] Matt Duench: I feel like, especially with security, but maybe not unique to security, is probably the last thing that your customers want is another tool, right? They, I, I imagine they have so many as it is today that it becomes less about the tool and more about that central point of visibility and also being able to alert them to what they need to focus on.

[00:07:16] Right? And so that's where I think you're in a, a really unique position to integrate all that data together and, and provide that single, that really that, you know, single point of contact, that glass, single point of glass as well, and visibility into the broad spectrum of threats and, and, uh, and act and attacks that are happening across our surface.

[00:07:34] Dan Schiappa: That that's exactly right. I mean, otherwise the, they're either leveraging a sim product, which, you know, historically didn't deliver on the correlation and, and all the things that we had hoped it would. Or they're looking through, you know, a variety of different administrative consoles across their, their portfolio and yeah, it becomes very difficult and so, That's precisely what we do. We think the power's in the platform, you know, we collect about 500 billion security observations every day into our platform. Uh, we whittle that down to on average for our customer, they get about 10 tickets. A week and, uh, a typical customer through a similar of about 11,000 per week. So we, we =really whittle that down.

[00:08:14] We let 'em focus on the things that matter. Uh, in many cases, you know, we're there to, to help them, you know, respond or, or adjust their infrastructure or whatever's necessary to react to that ticket. But it, it just makes them focus on the things that matter. Not all the, the noise that's coming across, uh, the dozens of, of secure tools they have.

[00:08:34] Matt Duench: And you mentioned the noise across multiple different points. Even I think the, the points that the Arctic Wolf platform ingests, you know, network cloud. Uh, cloud, posture, et cetera, and endpoint. How do you see, or how have you seen, you know, identity come into play there with respect to security?

[00:08:52] Dan Schiappa: Identity is, is important now, if not more important than it ever has been. It's always been a big aspect of security. I think we used it, you know, obviously for our authentication and access control and things of that nature, but now we can ascertain so much valuable information. I. From the user for, for attacking things like insider threat, for compromised credentials, uh, for, uh, being able to enable things that help security, like zero trust.

[00:09:16] Uh, and it's just, it's a, in a very, very important signal. And we start to think about zero trust as a step to kind of what, uh, what many people that I used to work with called Dan's crazy world, were, were think about. Where you, you know, you are delivering all of your services to your employees. O over the web. You know, you don't have on-premise applications. Everything is delivered through the web, and at that point, I don't really care. What if you're using a Mac, a Windows machine, a Chromebook? What? As long as you know, you're able to complete your tasks. Because all my security is now gonna be around managing the data and access to that data in the cloud.

[00:09:51] And when you do that, you know, it's very cliche to say, but the identity becomes the perimeter that's now your security perimeter. Everything that you're doing focuses around that identity. And when you start to think about how you can build intelligence into that, not just access control, that's one thing. But should I give somebody who actually does have access to this, access. Because I see some anomalous behavior, uh, on their device, or I see them, you know, trying to access things they don't usually try and access. And you start to build a whole bunch of intelligence around that, and you use that as a key factor.

[00:10:23] And then of course when you do have things like multifactor authentication, you don't just use that at the, the point in time you're trying to access something, you can use that when you see su suspicious behavior, just say, Hey, I know you've already authenticated, but this just doesn't look right. Let's try it again. Let's try a different way of, of doing second factor off. Then all of a sudden you start to, to really reduce the attack surface. Uh, so the identity is the one piece of commonality that moves across the entire ecosystem regardless of what you're trying to access and from where you're trying to access it.

[00:10:53] Matt Duench: It's really that common thread who we are, right? Um, between how, what systems am I able to get access to? What applications do I have access to? You know, am I who I say that I am? And giving folks a way to validate that. One thing that you mentioned there, I think that's really critical for folks is this concept of zero trust, right? And even at the very basic, basic level of zero trust, it's, you know, never trust the user and always verify. And I think in a corporate setting with employees, with business partners, et cetera, zero trust makes a ton of sense because you want to do that. You wanna make sure that person, Dan, is who he says he is. I'd love your thoughts on thinking about a consumer context, right? Your favorite coffee shop application. When you start to never trust and always verify that customer, that creates a lot of friction. Do you think, do you have thoughts on how companies with that, with those consumer applications can best balance security and the customer experience together?

[00:11:51] Dan Schiappa: I hate to to say it, but there's just so many levels to doing that. It's, it's about, you know, the, the, the whole concept of Zero trust as well is just to limit access of that user, to just exactly what they need to know more than that. Right. In the past it was V P N, right?

[00:12:07] I just, I'm basically just getting on the corporate network and, and then, you know, in most cases I had fair game. Uh, beyond that you may have some apps that had ackles to it and stuff of that nature, but it was, wasn't very sophisticated. And now we're able to map the user to an application. Right. And a company like Okta's, you know, one of the, you know, the forefront leaders in doing that, right?

[00:12:28] I log into my, my, uh, corporate PC and I see the apps I have access to and that's it. And, and I can't do anything else beyond. And so there, there's no reason you can't set up this similar things for. For consumers as well, uh, with within different services. And then I think, you know, the, the key aspect is in this world, the two most important aspects of security become the identity and then the data.

[00:12:52] Uh, I think we often forget, uh, that one of the key elements of security is data protection. And I, I, I just think that we always put in all these other whizzbang things and we, we forget the very basics of at the end of the day, The attackers are doing everything they, they can to get to the data. And so we kind of lose visibility on that.

[00:13:12] And that's building, you know, that doesn't equate to encryption all the time. In some cases it does, but it equates to how you observe the data, how you track the data, the data usage, who's having access to it, uh, building intelligence around that. Uh, where data is an asset, like any other asset you would track access to.

[00:13:29] Uh, I think we can get a lot more sophisticated. And that's really kind of where the consumer has to come into play. And so if I'm a consumer facing organization, I think that's a, a key play is understanding who that consumer is, uh, knowing that, you know, consumer identities are certainly, um, violated far more than, than enterprise ones.

[00:13:47] And so how I can build on some addiction protection measures. And you're seeing that a lot today, right? You're seeing organizations that are like, Hey, I don't, I don't recognize this IP address or this pc. You know, please, you know, uh, we're gonna send you a text message or many are now are, are requesting that you use an authenticator as a second factor. So second factor becoming, you know, far more common than it ever has, and I think that's gonna really help in the consumer security space.

[00:14:11] Matt Duench: I think in this concept of how you balance security, and the customer experience for consumer applications is being able to have a step up authentication, right? So as access, uh, you know, gets a bit, becomes a bit more risky in terms of what I'm able to access, right? If I'm logging into my account the first time, uh, you know, in a, in a little while, I might keep that session active so that the next time that Mac comes back, you know, 30 days, whatever I wanna set it for, it makes it easy for me, you know, to sign in to that application, that consumer application. But if I go to change my account profile, my banking information, something inside of that consumer application where it's a bit more protected, the data's a bit more risky, that's maybe where I would wanna add, uh, you know, an authentication factor like an M F A or like a Wine 10 password, or you know, something to actually verify that Matt is who he says he is. When I'm trying to access, you know, in my account, more privilege or change more privilege information too.

[00:15:08] Dan Schiappa: There's just that education factor as well. So, you know, there, there's still an attack factor where an adversary gets on my local machine, tries to access my resources from my local machine, and I. You know, if there's checks on the IP address and MAC address and is there a cookie available, all that's gonna come back true. But I still, you know, have an, an active adversary. So I think one of the things that really needs to happen, and I'm, again, I'm seeing this happen much more so than they used to, is, is education of the end user of, Hey, you should have multifactor authentication turned on. Right? And you should know that if you get a prompt, that says you're trying to authenticate and it's not, you don't just, you know, hit Yes. Just to make the prompt go away. Right. And, and you're starting to see banks and, you know, financial institutions and healthcare companies. They're really starting to, to educate the customers on that. That is, is just a super important thing. 'cause you have to be willing to help yourself. 'cause there is that balance. Where you can't make the experience for the consumer so difficult that they don't turn it on. Right. I get, you know, I, I help family members, uh, try and, you know, use, you know, password managers and things so they don't have to write their passwords down in a little book and carry it with 'em.

[00:16:19] And, you know, stuff that just makes me wanna pull a little hair I have left out. And, and, and, you know, and it, and sometimes you go, oh, it's just, it's just too hard. I'm not gonna do it. And it's like,one, you gotta make it easier for 'em, but you also gotta understand that what's at risk if you don't do it?

[00:16:33] Matt Duench: It's such a, a balance between friction and providing that amazing customer experience. And something you touched on earlier around collecting the data and keeping that data safe, I think is hugely critical, right? Because we've all been to a, a website where I, once you go to create an account, it asks you for so many things, and you have either no idea what those are gonna be used for or what the relevance is. Even of asking what my favorite, you know, uh, place to travel is and, and a favorite sport to do in the winter is, so I think like from an experienced perspective, it's around how do you build trust with that customer over time, right? Especially from a consumer perspective while keeping them safe. You know, and, uh, and, and really having these flexible factors, I think in place where you can authenticate, um, and authorize, you know, the right level of access to the right customer at the right time to balance that security and friction together.

[00:17:25] Dan Schiappa: Absolutely.

[00:17:26] Matt Duench: you mentioned a little around. You know, from even a product perspective, the data you need, and I think from Arctic Wolf's perspective, the data that you obviously collect and, and uh, uh, and parse and iterate on, what do you think some of the best practices are for incorporating either identity insights or some of that consumer level identity into your own product roadmap, uh, or your development cycle?

[00:17:51] Dan Schiappa: One of the key things for us is being able to correlate signal from one attack surface, to information from another attack surface. And I think that's kind of where the power of a platform comes into play. I think, you know, point products do a, a pretty good job of looking at the data that they have, uh, themselves and building, you know, detections and prevention and things of that nature.

[00:18:11] Uh, I think there's always things we do over the top on that, that, uh, based upon the, the massive amount of data we have, threat intelligence we can gather and things of that nature. But where it really becomes powerful is when I can take a signal. From an endpoint and couple it with a network signal and then look at an identity, right?

[00:18:27] And I start to put those three things together and you start to uncover suspicious things that you wouldn't have looking at any one of those three individually. Um, this has been the panacea for security for a long time, and it's really hard and I think, you know, things like AI are making that better.

[00:18:43] And, and I think what helps us, um, you know, both on, on leveraging AI for detections, which something that we've been doing and the industry frankly has been doing for a long time, is AI also helps you understand what data you actually need to collect. And so I think that the challenge is a lot of people, and I think one of the rea reasons Sims failed is just give me everything.

[00:19:03] I'll just take every bit of data I can get. And the problem is you get what I call data drunk. You just have so much data. You really can't make any sense out of it. And so, so AI is not only great at detecting things, it's, it's smart at telling you what you don't need as well. And so you can really focus on collecting the data that's important, that will help drive those models and help drive those detections.

[00:19:23] But identity, you know, is one of those, those kind of enrichment pieces of correlation that no matter what kind of attack surface you're looking at, it's gonna add value to that information.

[00:19:33] Matt Duench: we were talking earlier about even being the, the family IT person and implementing password managers, et cetera. When Google first launched pass keys and commercial availability on your consumer accounts, I was so excited. I. I ran around, you know, my family, and I said to my wife, I was like, you have to implement this right away.

[00:19:50] Like go do it now. It just uses your fingerprint on your computer. and I think it's something that, especially with pass keys, really any password, this technology is that from a security perspective and experience perspective, we've become so reliant on passwords.

[00:20:03] That we, you know, even with, with respect to being drunk with data, I think we're like, we're drunk with the reliance on passwords that we have. And I really look at, you know, the future and where some trends are going with respect to both the experience and security and not having, like, finding a trusted way to access the applications I need to use or even log in securely. 

[00:20:25] But, I'd love to hear if, uh, if you have any insights on either that or just generally where you see some trends with security going for going, uh, going forward.

[00:20:34] Dan Schiappa: You look at biometrics for example, you know, I think the, the one that a lot of people are familiar with is, you know, face ID on on their iPhone or the fingerprint readers on their Samsung or, or, or things of that nature. And in, in those cases, uh, it's a convenience feature for the most part, right? Because alls it's doing is unlocking the pin and then it, it transmits the pin anyway, so you're still depending upon a pin for security. It's just creating a convenience factor that convenience factor's great. Um, until you forget your PIN because you're using it all the time. Right. But, uh, I think when we truly get into real passwordless security where it's, it's just not a, a, a form that's unlocking a password and passing it on that, then I think you get into a much more secure place. Uh, 'cause because again, if I'm using a fingerprint reader on my laptop, that's just unlocking a password. The password's still the weak link in that if I can authenticate using the password.

[00:21:27] And so we got a little bit of a ways to go before I think we get there, but I think where it really comes into play, It's gonna be around, uh, using multiple elements to drive an authentication, not just even a fingerprint, but it's a fingerprint and it's a, it's a, you know, a, a a, a fingerprinting of a device we've seen be like, you start to factor in a whole bunch of different pieces of intelligence to know that it's indeed that user, uh, that that's where I think we'll passwordless will get real. Uh, right now it's, it is mostly convenience factors, unlocking a pin or a password. And so, We still have work to do to, to get rid of those passwords. Um, and I don't know if we'll ever fully get rid of 'em. Uh, you know, 'cause I think unfortunately things like, you know, biometrics, um, You know, we've seen, you know, pretty easy spoof in some cases on FA face id and, uh, certain password, you know, fingerprint readers aren't the high quality they need to be, and you can circumvent those as well.

[00:22:24] So we got a little ways to go, but it, to me, there's so much innovation that's yet to come in this area. I've been doing authentication for 20 something years and, uh, and when I look across security, uh, I think the innovators are companies like Okta. Who've, who've built, like, not just authentication, but this whole kind of access control and, and uh, kind of cloud broker mentality around that zero trust approach.

[00:22:49] That's where the innovations come, the actual authentication. I'd like to see more innovation come, uh, than, than has, and it will though it, you know, I think it's a big focus.

[00:22:59] Matt Duench: Yeah, I know. I definitely agree. And I think like in the, in the context of developing and building and you know, thinking about should I build a security operations center on my own? And I think a lot of times, even with Okta, a lot of our customers, they start out with this, this, you know, challenge of building an identity system or authentication and access management system on their own.

[00:23:21] And they very quickly realize that there's so much complexity. And that complexity can also introduce security vulnerabilities as well, uh, inside of your entire development change. But, but thinking about this concept of build versus buy. Uh, and it, you know, what, what stories do you have? What are some things that you think about or that you could, uh, you could let the, the folks of the show know here that they should think about when building successful products?

[00:23:45] Dan Schiappa: Yeah, I mean, I think about, you know, what do you do for a living? Um, so, you know, if you are a, uh, you know, a plumbing distributor, uh, maybe you're a global plumbing distributor, you got 10,000 employees worldwide, but you're not, security is not what you do for a living, right? So you need to have some elements of that in your It, uh, infrastructure, but leverage, you know, people who do that for a living to help you deliver that. Now, in some cases, if you're a large multinational bank, security is what you do for a living, right? It's a key part of, of the value proposition that you have. So, yeah, maybe it makes sense for you to, to build out your own soc. Uh, but for most companies, it's not what they do for a living. Uh, just like there's a lot of things Arctic Wolf, we don't do for a living.

[00:24:29] Um, authentication is, is one of 'em. And, and we don't do that. So we partner with you guys to provide that in our IT infrastructure. And so, you know, it's, you know, where, where are you gonna add value to your business and, and how can you get better value from somebody else providing that? it's kind of a no-brainer on the, the value proposition perspective. Obviously the bigger you are, you know, the value is a little higher, but, but nonetheless, it's still much cheaper than doing it yourself and, and then you get the security experts. So to me it's like, hey, if I have core confidence in something, It's directly tied to my business success, then yeah, you should probably consider doing it. If not, let let somebody else do it. I, I saw a data point as almost a year and a half ago, um, from one of the key market analysts, uh, that they surveyed, you know, very large enterprises and 78% of them did not wanna build a soc. And you think about it, you know, we, we work for tech companies, so we go, well, that's goofy. Why is it that high? Well, most very large enterprises aren't tech companies. Right? Or, you know, they use technology as a portion of, of what they do. It's not who they are. And so that kind of makes sense when you think about it. And that's, that's where companies like Arctic Wolf and, and Okta could come into play to help those.

[00:25:35] Matt Duench: There's a huge talent shortage. It's, it's hard to find security people, developers, identity folks. It's really hard to build yourself. Um, and those kind of play into each other, where if you were going to head down the route of building your own identity system or even Security Operations Center, you kind of have to solve for those things before you're even able to, you know, stand up your own security operations.

[00:25:56] It's costly to do that when it's not your core competency, uh, as well. But can you, uh, can you think of other risks that might be involved in building software systems or building these, uh, security operation systems in-house?

[00:26:08] Dan Schiappa: Yeah, I mean, so if you think about the, again, the value add that we, we do, you know, we collect, you know, 500 billion observations and issue 10 tickets a week to our customers. Uh, so, so we're building. A massive, not only, you know, ingestion pipeline of different data sources, but we're building the AI models on top of it to filter through the noise, to do cross correlation, to do detections, to, you know, all that stuff.

[00:26:31] Are you gonna build that yourself? 

[00:26:33] You're still building your own correlations on top of it. Um, and it just becomes very challenging. And if you don't have that level of sophistication in your, in your, uh, security operation to do that effectively, all, all you you're doing is collecting a bunch of data that you're not gonna do anything with.

[00:26:48] And so, I dunno, 10 plus years ago when Target had that really big attack. Um, and people are like, how did they not see it coming? Well, you know, their, their sim told 'em they were under attack all the time. So they was just like, you know, it was like finding a needle in a pile of needles.

[00:27:02] And, uh, and that's becomes challenging if you don't know what you're doing. So, co a company like us, we, we understand all that. We, we know how to filter through the data. We know how to bring up the things that matter to you and, uh, there that, that just is, is so hard to replicate in-house.

[00:27:17] Matt Duench: You eliminated, as you said, all that alert fatigue. There's so much of it out there, right. When you have, and sometimes tens of thousands of data points coming at you from a, a security perspective or impossible travel or bot texts or, you know, phishing emails, et cetera. Look, it gets really hard to know what I need to be focusing my time on. So you just in the case of Target, yeah, you would obviously let some of those alerts pass because you're always under attack. So it's really, it's really difficult, difficult to prioritize.

[00:27:44] Dan Schiappa: exactly.

[00:27:45] Matt Duench: One of the things that a lot of I hear from, from product folks a lot is I, and this is when you are actually focused on your core competency, is how do you know when you have a good M V P A minimum viable product in place? What, what are sort of the factors that product folks should be considering? When they're, uh, launching new products, new services, that they have something that's good enough to, to get out into the market.

[00:28:08] Dan Schiappa: It's really an, it's a very important nuance. 'Cause I think, uh, I sometimes struggle. I, I don't like to use the term M V P and, and the only reason I don't is I've seen some organizations. Kind of turn it into a negative thing, right? Like they, they forget the quality aspect of what they're delivering, right? Oh, we'll just, you know, get something out quick and we'll get feedback and then they put something out that's very poor quality as opposed to what's the minimum functionality I need to get out there. Uh, and then I can build on the functionality and, and insecurity. I tell my team we have to do three things very well. Um, speed. Uh, because our, I, I don't compete against other security companies. I can compete against hacking adversaries and they move very fast quality because, you know, if you're protecting your business with me, I can't afford to go down. 'cause if I go down, I'm either failing open and the bad guys get in.

[00:28:59] Or I'm failing close and your business comes to a screeching halt and then innovation's the last piece. And it's hard to innovate if I can't do speed and quality well, but I also have to innovate 'cause my adversaries are terribly innovative. And so for me, an M V P is really making sure I focus on the minimal features I need to get something into market.

[00:29:17] Particularly when you're delivering it over the cloud, right? 'Cause you can just constantly prove that as you go. It's not like the old days when I worked at Microsoft, we did a Windows release every three years. Right? So you have the ability to kind of get a flywheel of things coming, but you can't skimp on the quality part.

[00:29:32] Like you have to be, like, in our industry, we have to be quality obsessed. And so I do, I just, I wanna make sure when we talk about with my team's minimum viable product, viable means the quality is, is top tier.

[00:29:45] Matt Duench: and being super hyper-focused on that. 'cause I think that that's, that's a lot of the times what happens is that we get focused on creating something and then we don't know if it's the right thing. So I think starting, you know, kind of to your point there of starting with the customer's problem in mind, and then focusing the team around quality of how do we, like from a, a super high quality perspective solve that customer's problem in a way that hasn't been solved before. And thinking about it in that context.

[00:30:11] Dan Schiappa: Yeah, I mean, that, that's a absolutely great way to put it. And, and you can't solve the problem if it doesn't work. So that's, that's the key aspect of it. And so, uh, yeah, I, I love that paraphrasing.

[00:30:22] Matt Duench: What about testing and experimentation, and even thinking about how you know if you're building the right thing, like what are some things that you feel that product folks can do to test and build their own product hypothesis or challenge that minimum viable problem? I.

[00:30:37] Dan Schiappa: It's understanding the problem, um, very, in a very detailed way and, and, and really getting it, uh, understanding of that. And in some cases you also have to understand you can't solve the problem in one step, right? So there may be multiple steps to solving the problem. And what are those, those steps, and that's where kind of the M V P comes into play.

[00:30:55] Like, okay, I wanna get enough to get step one out there. Learn from that. And I need those learnings to help with step two, but you don't wanna lose visibility of what the final step is either. Uh, I think in a lot of cases where I've also seen mistakes is you, you go go out quick and you didn't realize what the final destination was, and then you're re-architecting something along the way.

[00:31:15] And it that, that blows the speed part of the speed quality innovation out because now, I gotta pull back and re-architect something, um, because I didn't kind of know where the final destination is. And so I think that's the key thing.

[00:31:27] That's where I talked about earlier, like product managers. One of their key skills has to be looking around corners, right? You have to solve the problem for today, but you have to be aware of the problem that the customer doesn't know they have yet. And you, if you know, we. We talk a little about consumer stuff, but you know, I'll use a consumer example 'cause it's so obvious, but like, when the iPhone came out, nobody was asking for the iPhone.

[00:31:48] That, you know, of course I want to have a, a real browser on my, my phone. But if you remember, the first iPhone didn't have apps. Uh, the phone actually barely worked. It was really just a portable web browser, but it changed the world, uh, because, you know, we were using the WEP browsers before that and, but nobody really knew they needed that.

[00:32:06] So it was kind of solving a problem that people didn't realize they have. And we have to do that in security, right? So if we're always chasing the adversary, then we're just, we're not helpful. Um, and so we have to be looking around corners. So I always tell customers when I speak with 'em, ask your vendor what's next. if they can't tell you immediately what's next, that's probably not a good vendor for you to be, uh, you know, a, a customer of, because you want your security vendors always worrying about what's the next problem or the next kind of mode or attack or the next, you know, uh, capability for defense. And if they're kind of stuck on their, their current thing and they can't think past that, they're gonna be obsolete very quickly.

[00:32:45] Matt Duench: and I'll ask, I'll ask you the question 'cause I think thinking about the future, uh, and thinking about what's coming and, and the speed at which I think things are changing from a tech perspective, what's next for Arctic Wolf? What are some things that you're thinking about, you know, areas of development, problems you're trying to solve for your customers?

[00:33:00] Dan Schiappa: security unfortunately is a lot of cliches, but AI is definitely a big part of it. Uh, I think we've been using AI in our industry for a long time. It's not new for us. Uh, you know, chat, G P t I think is something that allowed the average person to see an interface with ai. Uh, you know, we've all been using it in this industry behind the scenes for 10 years, and so it, it's not a new thing for us.

[00:33:21] you start to put the power of things in the hands of people who aren't that powerful. Right? So when, when hacking tools became, you know, productized, so to speak, it put, you know, sophisticated tools in the hands of unsophisticated people, they just needed malt intent.

[00:33:36] And that changed the landscape for, for hacking. And now AI's just gonna, you know, add fuel on top of that. Uh, 'cause now they'll build AI based hacking tools to make your phishing, you know, more easy to find vulnerabilities and an infrastructure easy, like it's just going to exponentially improve the, the adversary's capabilities and reduce the skill needed to do it.

[00:33:57] Um, and that just opens up the, the Pandora's box for the people you have to defend against. So for us, it's, it's that it's gonna be, you know, the, the gonna get much, much, much smarter. 

[00:34:09] It's gonna get pretty crazy. And, and so for us, it's, it's using the same tooling in a defense mechanism, but it's gonna change the way we have to look at things. And who we have to look at them coming from. And so, uh, I think in these ever-changing landscape, you know, I've been in security for over 20 years and it just seems to be getting harder every year. Not, not easier. And I think the good news is for the most part, the defensive, um, companies are keeping up.

[00:34:36] Uh, but it's, it's harder and harder to keep up because the adversaries are getting smarter and smarter. And, and again, you know, having the power of, you know, generative AI and, and other AI methods at the hands .of mal intended people is just gonna make the landscape even harder.

[00:34:51] Matt Duench: I fully agree. I feel like generative AI is, is the single most like impactful trend that we're going to see since maybe the iPhone we were talking about earlier. Uh, you know, in terms of the impact it's going to have on security, because that's what's gonna have to happen is that these generative AI powered attacks are going to require an equally strong generative AI response, right? And, uh, and getting really creative of how we defend against some of these super advanced attacks that are going to level the playing field. That's what it's really been, I think, is that it's getting, it's going to get super easy to write prompts and, you know, bad actors, et cetera, are going to be able to leverage that technology unfortunately for, you know, their benefit and the detriment of consumers, of employees, of partners, et cetera. So I definitely agree with that.

[00:35:38] Dan Schiappa: Yeah. And the, and the bigger challenge is I think as, as you see on, you know, Capitol Hill and across the globe, we're seeing ways to, to kind of regulate ai. And I think that's a smart thing. We wanna make sure that, you know, you're not stealing intellectual property and or using somebody's likeness in a way that they shouldn't. But the problem is, bad guys don't follow regulations, right? So we have to be careful how they regulate us on the cybersecurity side because you can't put us at a competitive disadvantage to the, to the bad guys. And, and so that, that's gonna be super interesting. And you look at things like, You know, uh, you know, I've been using open AI for, for quite a while, and I remember when it first came out having it generate code.

[00:36:16] I, you know, I used to joke, it was like a freshman in high school's level of coding, and then all of a sudden it started getting better and better and better and better and better. And now it's starting to get a little bit worse again because it's turning on even more code and, you know, you start to add crappy code into the training gets worse. But, but nonetheless, you know, you start to put curbs around how you can use that. 'Cause in general, you know, if you're training it off of public data, you're training it off of other people's intellectual property. Bad guys don't care about that. You'll get, again, mal intended people who can generate malicious code, who don't even know how to write code.

[00:36:45] Um, and that's gonna get smarter and smarter and smarter, particularly if the bad guys, you know, build tools out of it. And so it, it, yeah, it's gonna be, it's gonna be a wild ride. I, you know, Weird part of me gets excited about it because, you know, it's just, I like the challenge. I, I like to have Arctic Wolf and, and, and Okta and other companies rise to the challenge, uh, that our customers want us to. Um, but it's, it's a challenge nonetheless.

[00:37:09] Matt Duench: So I was also thinking around, you know, trends that we're seeing. That's generally the market and trends that you're seeing in security. What about with respect to product management? I mean, what are some, uh, some of the ups, the downs, the highs, the lows of creating a product? What's great about it? Uh, and what do you think is still being improved or some areas you think that is going to improve with respect to product management, uh, in the future?

[00:37:31] Dan Schiappa: I, I came up through the ranks actually as a developer and an architect. Uh, and then I got into multidisciplinary management. And so I, I have a little more of a technical kind of view. And, and I think in a, in a space where technology and the ability to deliver that technology is super critical.

[00:37:49] You know, for me, product management has to, uh, be technically savvy and they have to play that role of the advocate for the customer, the, the kind of fortune teller for the market, but also be able to sit down with the architects and engineers. And kind of lay out a technical strategy and, and be able to ensure that the, the design is meeting the needs. Um, where I've seen, you know, particularly in security, where things get misaligned is, is where problems occur, when you know the requirements are developed. There's a view in the mind of the product manager of what needs to be delivered, and then it doesn't get delivered. And then you get the, well, hey, I told 'em to do this, and they deliver.

[00:38:26] Like, it's no, like you have to hold hands. With your, your engineering counterpart as you go through the journey together. And so, um, finding that balance of product managers who are good externally, who can deal with customers and partners and analysts and, and the like, but also be able to look internally and help be that technical partner that the engineer needs. Um, that, that is super critical. Uh, where I've, where I've seen it fail is when the, you know, PMs throw it over the fence and wait for something to get thrown back that that's, That's not a good model, and, and so having that kind of interaction is really important.

[00:39:02] Matt Duench: The piece about being able to look around corners as well, I think is, is really critical of, you know, marrying the understanding of the problem together with the solution that you're providing is like hugely critical. Right. Um, and I think, I think the balance that you just identified as well across the organization, but also, you know, being able to, to have a conversation with customers about what is truly driving them crazy and keeping them up at night, being able to relay that to your engineering and your development team, like, you know, with that technical understanding or at the very least of how you translate that problem, I think are, are really critical skills for anyone that's aspiring, uh, to be a product manager.

[00:39:38] Dan Schiappa: I agree, and I think one of the key things is don't get so narrowly focused on what you do a, again, in security. You know, I, I worked on this project, uh, when I was at Microsoft, um, directly with Bill Gates and it was called Project Zeno. And I. And I named it that, 'cause Bill used to always ask me, when am I gonna have an impenetrable windows? And I would always tell him never. And he'd get so mad. Uh, and so we created this, this plan to, to look ahead 10 years at what the world was gonna look like, and then how do we plan to secure that world? And so we didn't look at, what does security look like in 10 years? We just looked at what is the world gonna look like in 10 years, and I named it Zeno after Zeno's Paradox, which says, you can only get to your destination halfway in each iteration, which of course means you'll never get there. Right? And so, and, and that's really kind of security, right? We, we can never put our feet up and go. We're done, problem solved, right? So we're always, you know, trying to create those, those iterations to be shorter and shorter.

[00:40:36] And when I do look at, you know, where Microsoft is in security today, it's in a lot better position than it was when, when I got involved. And I think that was because, they took that big picture, you know, view of where the world and created a very slow, you know, progress to get there. And, and I think you have to do that in, in a product management or have to think about what society or it, or something broader than your product area is gonna look like. And then how do you adjust to that with your specific offering.

[00:41:05] Matt Duench: Great. So just in the last couple minutes here, I'd love to, to do some quick hits and, uh, you know, get a bit insight into, into Dan Schiappa. So what's the, what's your favorite place that you've traveled to recently?

[00:41:17] Dan Schiappa: I would probably say, I think Italy's my favorite place to travel. Uh, I'm a, I am Italian. You can tell, tell by my last name, but, you know, anytime I can get to Italy, it, uh, feels like going home. And so, uh, I just, I can't get enough of it.

[00:41:31] Matt Duench: What about meal? Was there a meal in Italy? Uh, what's the best meal that you've had.

[00:41:35] Dan Schiappa: Uh, well I won't pick Italy 'cause you could just say everything. Um, I, I have the luxury of living literally like 15 minutes from Disney World, and so I have so many different dining experiences I can have. There's one, uh, that if you are, if you like Japanese food, there's a restaurant in Epcot Center called Tate, uh, that's, uh, it's very expensive, but the, it's worth it. It's an amazing meal. It's like a seven course meal and it is just, it was outstanding.

[00:42:03] Matt Duench: That's amazing. That's amazing. Uh, maybe one last question. Where can folks find you online? What's the best, uh, best way to, to, to link up with you?

[00:42:10] Dan Schiappa: Yeah, so the best way is, you know, LinkedIn and Twitter. Uh, so you'll see me both, uh, at Dan Schiappa on Twitter and, and, uh, via LinkedIn. Love to interact with folks and, and learn from them. I think that's a important aspect of, of who I am, is I just wanna always be in learning mode. So the more interaction I can have with other security professionals or other, uh, people in general just makes me smarter. So I, I, you know, please reach out there, find me, send me some, uh, some ideas or thoughts or, or anything. It's always helpful.

[00:42:38] Matt Duench: Awesome. Well, thanks a lot for that, Dan. I think this has been a, an excellent episode. We looked at a lot of things today. A, around security, around authentication, around how we can protect the customer experience. Thank you. Thank you for taking the time today, uh, to join us on the Mistaken Identity Podcast.

[00:42:52] Dan Schiappa: Happy to be here. Thanks for having me.

[00:42:55] Matt Duench: Well, that was Dan Schiappa,, Chief Product Officer at Arctic Wolf. Thanks for listening to Mistaken Identity. I'm Matt Deek. Join me next time as we explore how to leverage customer identity to your advantage.