Leading the Pack: Human Ingenuity in the AI-Driven SOC With Lisa Tetrault

Mick Leach: Hello and welcome to SOC Unlocked, Tales From the Cybersecurity Frontline. I'm Mick Leach, your host and guide on an exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest in industry news, emerging threats, practical strategies to keep your organization safe, and more. And today I'm excited to have on a dear friend of mine, Lisa Tetreault, Senior Vice President over at Arctic Wolf for Security Services.

Is that right? Brilliant. Wonderful. And I'm so glad to have you on the show. I know that our listeners are going to learn an absolute ton from you. For those who are just tuning in and don't know, Lisa and I have done a couple of things together at different events. We did something in Calgary. We did something else in...I don't know, where was the last one? Where were we? Vancouver, yes. Oh yeah, yeah, yeah, yeah, yeah, brilliant. So almost always in Canada, because you are in the great white North up there, Great. So tell us a little bit about yourself, how you got into cybersecurity, what your current role is, that sort of thing.

Lisa Tetrault: Sure thing. Okay, so I've been at Arctic Wolf now for seven years. In the current role I have, as you had mentioned, is the Senior Vice President of Security Services here at Arctic Wolf. I lead the Cause of Years Security Team, which is the proactive arm of the business, and the Security Operations Center as well, which is the 24-7 MDR team. And I also lead the Incident Response D for Team worldwide across the organization.

We are protecting and delighting customers who have trusted us with our services, of course. I just recently actually moved into this role. I had been originally overseeing the global SOC here for a few years at Arctic Wolf. And I just stepped into this expanded role recently, I think about April or May of this year. And it's a really exciting challenge. And I'm grateful for the customers that have trusted us in this service. So I'm responsible now for the MDR and EDR service, as I had mentioned, and across many, many industries. So education, sports, finance, manufacturing. And my role is really focusing on ensuring that we're not only detecting and responding to threats effectively, but we're also doing this scalable and consistent and with that human centric way. So we always hear about this now with the platforms that are out there, but also adding that human element, which with SOCs, we know how important that piece is, right? Prior to that though, I've held several leadership and practitioner roles in security and data network operations over about two and a half decades from small startups of about up to 300 people to large enterprises of companies up to 350,000 people. So yeah.

Mick Leach: Wow.

Lisa Tetrault: I've been in the telecom sector, financial services, technology, and strategic outsourcing across my career as a practitioner, as I said, all the way up to leadership roles. So I've done this in Canada and on a global scale for many, many years. I did my bachelor's, my undergrad at Western University in computer science, did a lot of programming at that time, and did a bit of security courses back in those days, two and a half decades ago, many, many, many years ago, and did an internship is really where I started and ended up at a bank. And from there, each time I had started with the network operations and just did a side hustle is what I would say insecurity each time, each role.

As I said, as the practitioner and continued on in many of those journeys along the way and ended up at Arctic Wolf about seven years ago, just over seven years.

Mick Leach: That's fantastic. Now, how big is Arctic Wolf now? I know you guys are a premier, elite level, managed detection response organization. So folks, if you're listening and you guys are looking for MDR services or need help in that space, certainly give Lisa and the team over at Arctic Wolf a call because you guys are pretty great at that stuff. But how big are you guys now?

Lisa Tetrault: We have about 3,600 employees, and we have about 10,000 customers.

Mick Leach: Wow, all right, awesome. I love it, I love it. I'm so excited that you guys are out there killing it and making the world a safer place. That's certainly why I got into cyber as well. So it's near and dear to my heart. So now let's jump into some questions, right? We're gonna shift this a little bit for our long-time listeners. We got new questions for you, cause we heard you, we wanted to change things up a little bit. So now we're gonna dig into some new areas as well. So, the first question I have for you is, what's one recent shift or challenge that the SOC over there at Arctic Wolf has faced? And, you know, how is that working for you?

Lisa Tetrault: Okay, that's one of the fun questions we're always seeing. So one of the biggest shifts I think that we have been seeing is the increasing sophistication of social engineering powered by AI, right? We're seeing phishing emails and impersonation attempts that are so well-crafted right now, they rival what used to require nation-state capabilities.

So in fact, our latest trend report, and I can send you the link and you can put it in the show notes if you want, is one of the most notable findings, which is that AI is now surpassing one of the things that most companies are really worried about and the concerns that we have in the organizations. So like 29 % of security leaders are citing.

AI and large language models and even privacy concerns as the number one concern that they have, and it's surpassing ransomware and malware, and data extortion as a concern of theirs. Isn't that crazy?

Mick Leach: It is, it is, it's crazy. And here at Abnormal, right, in my day job, right, this is exactly the same stuff that we're seeing as well. So I agree, it's good to, you, we have independent validation from someone else that this continues to be a problem, but I love hearing about it, so.

Lisa Tetrault: I figured that would be good. And really, what that means to our SOC is that we have to double down on the behavior analytics and identity-based threat detection. So like as an example, as you know, the voice cloning from social media or podcasts or interviews are using that to target family members or colleagues in generating emergency scenarios, right? And then the deep fake videos or executives or trusted figures are now.

Like we're seeing that being conducted in fraudulent video calls or requesting fun transfers or emails, like things like that. They're like real-time having those feelings now instead of having a prerecorded video in the past, right? So all of those things are really particularly convincing. And we're seeing that more and more now, instead of in the past, where it was a little bit more predictive, I guess.

Mick Leach: Sure. Yeah. Yeah, used to be pretty clunky, right? I mean, you could tell, you could take a look at an email and go, that's fake for sure. And these days, it's not as easy.

Lisa Tetrault: Yeah, I know Abnormal has some pretty cool capabilities and that's something that you and your organization have a great product for. yeah, great.

Mick Leach: Well, thank you. I appreciate you saying that. OK, so you had mentioned AI, right? So you kind of opened this can of worms here. It's open. Let's get into it. So what's, in your opinion, one of the biggest misconceptions when you hear about AI and cybersecurity?

Lisa Tetrault: Okay, so one of the things I've recently read was the gardener's latest report that SOAR is obsolete before plateau and AI SOC is entering this new peak of inflated expectations, right? So I think they're related. So much of the AI SOC hype is coming from an early stage startup, right? But many of which are claiming the ability to replace humans entirely. I don't think that that's a thing, right? But right?

Mick Leach: I'm with you.

Lisa Tetrault: But I do think the industry needs a set of tests and metrics to better evaluate these claims. Most, if not all, of these are aspirations still in the current capabilities. really, LLMs are specifically not great yet at detecting anomalies. So AI is a long way from where we need it to be. But that being said, LLMs are a fantastic tool for collating and formatting and summarizing all that information. And even code creation.

And like we can use it as part of a well-designed system that can do significant parts of our SOC workflow. So I don't want to throw it all out and say it's like not useful because it's really useful. We're seeing a lot of great strides here. But what I do want to say is at that point, it's not all full automation yet. So let's not get ahead of our skis. I see so much greatness. And we're doing a lot of great things at Arctic Wolf.

But we still need those humans. We still need that overlay of those humans for the correlation and things that machines are not great at doing yet.

Mick Leach: I agree. I agree. think human in the loop is going to remain important going down the line. So I love that you're pumping the brakes there. Now, let me go on the flip side of this, though, and instead ask, where have you seen AI and ML provide actual real value in your environment?

Lisa Tetrault: Right, great question. We have seen a lot of great capabilities come out. We recently announced a partnership with Anthropic to accelerate our development of autonomous SOCs, which is exactly the direction that we need to go in. And that collaboration is really combining the human augmented AI capabilities, which is exactly what we need to be doing here with our Arctic Wolf Aurora platform.

And what that really means for us is it's the first output that we just had was in collaboration with the launch of our AI Security Assistant to build out and help our customers extract deeper insights from our Aurora platform. So what we did was we had this AI Assistant, we used it internally for a long time, and it allowed us to get deeper insights and see all the data, and ask questions, and have it all part of our ecosystem. And then we released it to our customers. And that tool met our highest standards of safety, privacy, and performance, because that's like a table stakes, right? When you're starting to use AI. And it marked a significant step forward to delivering on the promise of an autonomous SOC. So it's just part of our ecosystem and what we use on a daily basis.

It's one of those tools that, internally, when we have a large data set or we have something to think about, or process, it's the first place we go internally is like, could this autonomous AI or our AI security assistant, can it use it? Can we use it to crunch this information? And I don't recall a time where we couldn't actually use it and some capability may have some benefit to it. So it's great. It's great for our team. It's great for our customers. And we're seeing a lot of benefit right there.

Mick Leach: That's awesome. So what I'm hearing you say, keep me honest here, is that you're largely using AI and ML and having great success at this in terms of augmenting what your Soccing analysts are already doing, making their lives a little bit easier. Is that a fair assessment then?

Lisa Tetrault: Absolutely. It also adds that extra element of context sometimes, where sometimes it's hard for people to put things into words, right? Just like you added context to what I just said. It also allows that to happen, right?

Mick Leach: Yeah, beautifully. And I'll tell you what, and I'm guilty of this as anybody is these days, but, you know, I use AI constantly, especially generative AI to help me write, whether I'm summarizing something, whether I'm writing something that's going even just internally to a dear friend or whether I'm saying it out and it's going to be public facing. You know, it's so much better than I am. The way it writes, the way it speaks. You know, it makes me sound way more intelligent than I deserve.

But yeah, I think there's value in all of that.

Lisa Tetrault: It's a lifeline for me as well, Mick. I totally use it every day.

Mick Leach: I'm glad I'm not, you know, the only one that's doing that, right? Otherwise, this turns into a confession rather than a comment. That's awkward. But no, so, you know, what I loved about that though, was that you, your focus on delivering AI and ML, not only is focused on delivering value for your customers, which is important, of course, but it's also about making life better for your analysts. So I kind of want to...pivot on that thought because I think there's value here too. I haven't been in a SOC yet that wasn't working really hard, potentially overworked, there's challenges of burnout and fatigue, and there's a lot to go on the human side of things. where you're running an MDR over there at Arctic Wolf, how are you, you know, reducing analyst burnout and alert fatigue and those kinds of things over there?

Lisa Tetrault: Yes, so there's a couple of factors. I'll just talk about the high level and then we'll get into the culture because there's a couple of components. So the first thing we need to worry about is ensuring as a SOC that you are worried about the tool management, your integration, your workflow development. You see that everywhere you go. You have to make sure that from an analyst perspective, you are the rules are continually being tuned properly. You can even use AI for that. You can look at false positive rate. All those things become a lot easier with, you know, employing AI. How often has this fired? Can I tune it? Can they do it effectively? Are my tools sitting independently or can they be integrated? If they're interoperable, it makes the analyst's lives much happier.

If you are sitting there doing context switching, analysts are not going to have a happy life, just tell you that for free, right? And if you continually have them context switch all the time, you're gonna have a much lower quality of life across the board. So that in itself is just one thing that you have to be very careful on a workflow development, having playbooks and workflows add context really helps security teams avoid that time sync of disjointed events. Identifying and providing that context is really not a small task, right? So as change of tools and adding all of that together can be removed, it's like a never-ending kind of chore. So, like having workflows that make sense is always a quality-of-life thing. Now, what is really important to me, that those are just like standard things you gotta make sure you're doing your SOC, right?

If I look at articles specifically behind the scenes, analyst burnout and the human side of the coin is super important to me. And it all distills down to culture, right? And if I look at what we try to employ specifically, there are a couple of things. So the first thing is, we took a step back and we said, we really need to look at, start out with the shift schedule. So we are on a 10-week rotation. We try to minimize the number of swing shifts that people have.

You know, you could have straight days, straight nights, straight afternoons, a variety, continental shift, whatever that looks like. What we didn't want to have happen is for people to stay on nights and then not be part of the day shifts. And so we did this 10-week rotation to keep the team happy and engaged. And we built this week off in the middle of that 10-week rotation. You have minimal weekends and minimal nights, but for the most part, everybody is working during core hours.

And that's Monday to Friday. That's just one of the things we did. When they are working, we also tried to give them a variety of work. So while they're on shift, you're not going to sit there and look at a board the whole time. You're not on an eight-hour shift or a 10-hour shift. You are in work looking at a board for the entire eight hours. That is nothing screams analyst burnout more than just same task over and over again. Right. So we tried to give them a variety of different aspects of the role and keep the team engaged. So as there was more things that had to be done in the SOC, we tried to ensure that they had a variety of tasks. So, okay, we need four hours of work over here, and we need four hours of work over here, and two hours of work over here. And that gave them a variety of things to do, and it also stretched their skill set. And that really gave a different look and a different lens of a customer journey, okay? We also built out a certification program.

And this allowed us across the security services organization to understand all the different levels of, you know, what a SOC analyst role and all of the different levels within the SOC, or the different levels in the concierge team, or the different levels in the incident response team, or the technical support team. Because I had the we have the portfolio of all of those, you could go and be certified in any of those areas. And that was completely fine.

It's part of our portfolio. You can go and figure out if you like that type of content and that work. And that's great. You can go figure it out. You can get certified and realize that maybe that type of work is not for me. Or you can make yourself eligible candidate to apply for that role by getting certified. So that was really good because it allowed the team to expand their skills through the certification program.

We're also a culture of celebrating wins, and by wins, I mean security wins, right? And that's from a customer viewpoint. So how was the customer delighted? How do we stop a threat actor in their tracks? How did the customer provide feedback about what they liked about our service? And we celebrate that in a Slack channel. We celebrate that with shout outs and all sorts of things. And that's really building up the culture. We also brought in a Lego program.

I have my Lego here.

Mick Leach: I love you by the way. And I specifically asked for, Lisa to highlight this. She had to go find the Lego thing. We, so Lisa and I have spoken about this before, just in person at events that we've, and I love it. I love what you're doing and how you get to really build. so it can keep me honest here, Lisa, that as your, as your analysts grow and mature and get involved in different things. There's growth as well to show how long they've been there and the status they've attained, that sort of thing.

Lisa Tetrault: That's right. Every year of service, they'll get a Lego brick. If they were part of maybe a mega threat that happened or a zero-day, they would get, that's right, they would get a new Lego brick as part of it. We would call it for customers. You'd be part of that event. You would get a brick. Or if you referred, you know, five friends as part of it, you would get a recruitment brick here. You have five little friends.

And different department, if you moved into a different part of security services, you would get a different brick. So there's all sorts of reasons to celebrate being part of the organization, of the team. And this is really what it's all about is giving another reason to celebrate. Yeah, it was a good motivator, if you will.

Mick Leach: I love it. And so leaders that are listening, like I want you to really lean in here because this matters, okay? The silly things, you know, we take work too seriously sometimes, myself included, I'm guilty of this as well, right? And it's important work and it's serious work, but it doesn't mean we can't have fun. And so the little things like this, worked, Bain, if you're listening, I love you.

Kim Bain was a manager, one of my first SOC manager at a previous company. And we created the SOC monkeys. Have you seen the SOC monkeys? And so you had to earn your SOC monkey. And so you'd see the analysts sitting around who had earned their SOC monkey and displayed it proudly next to their monitor. And then the aspiring analysts that were coming alongside and once they earned their site we had a we had a ceremony It was a whole thing, right? It's these silly little things, though, that really create culture and Lisa and Kim are both such great leaders, and identifying know how to motivate and keep things fres,h keep people interested and excited about the work they're doing, so leaders listen

Lean in and listen because Lisa is doing some really cool stuff over there, Arctic Wolf. Not just this program, but there's more too, right?

Lisa Tetrault: That's right. That's right. We have our alpha dogs coming up. That is where we recognize the top 1 % of the team. So security services, we just announced it in May. And it's our top 1 % from last year are going to them and a plus one are going to on a trip for them and to Nashville actually for them.

Mick Leach: No way.

Lisa Tetrault: Yeah, so we're going to Nashville. That's in October. It's five day trip. And we have a lot of really cool things planned in that five days. And it's gonna be a great celebration for them and celebrating them and their accomplishments of what they've accomplished.

Mick Leach: That is awesome. I love it. Marketing team, you're listening, Nashville, October, let's see if we can figure it out. I'd love to pop in and say hello to Lisa and the team. They're killing it down there. So, no, that's exciting. I am headed to Nashville for something. I think a CXO Forum event in the coming weeks. I don't know exactly when, but no, that's awesome. I'm so excited. There's really neat things. Like sales has historically had these kinds of things, the presidents' clubs and whatever else that they do. I will say we haven't done as good a job of really recognizing and rewarding our top performers in the security space. And many times it's hard to quantify, you know, the challenges that you've overcome or whatever, you know, where we've caught things before it got bad. But that's awesome. I love that you figured out a way to do that and are doing that. That's fantastic.

Lisa Tetrault: Yeah, I think it's all the senior leadership team really works together on looking at different ways to recognize team members. So I would be remiss if I said it was all my ideas, because they are not all my ideas. The team really comes together when it comes to culture. And culture isn't like an Easy-Bake oven. You can't just like do it once and that's it. You have to all lean into it. So if you're not all on the same page and you're not all continuing to do it over and over again and leaning into it, it's just not gonna work. You can't just set it up and that's it, right?

Mick Leach: Yeah, can't set it and forget it, right? This is not the Ron Popeel of, you know, leadership. So leaders, know, Lisa's over here dropping nuggets of wisdom. I hope you guys are writing some of this stuff down because it's fantastic. So it's really exciting. Now I want to transition a little bit because you're doing so many cool things to keep everybody motivated and excited about the work. Now, let's shift gears to maybe how the bad guys are doing things. So maybe what's something new? Like a new unexpected threat technique or tactic that's caught your eye and you have kind of the best visibility for this being on the front lines for so many of your customers. What have you seen for 2025 that's kind of new and, quote unquote, exciting?

Lisa Tetrault: Sure. So I think it's been long understood that organizations actually face threats from both nation-states and hacktivists. And they're both opportunistic and looking to prey on the weak to do damage, right? But now we're kind of at a turning point where we're seeing a rise of collaboration between the two groups. Yeah, they're trying to accomplish the same goal. And by using hacktivists on the front end for the nation states. Hacktivists are starting to do the bidding and to draw attention, while nation-state threat actors can achieve their objectives by remaining out of the spotlight. It becomes like a little bit of plausible deniability, which is an interesting series of events now, and ransomware as a service continues to commercialize malicious activities, right?

And tactics like double and triple extortion are becoming the norm and now escalating the emotional and operational pressures of victims. And so like we're seeing a little bit of that. And I guess attackers are also strategically targeting critical, like really critical infrastructure and supply chains. that is, I think that's more like, you see that anyway. And they're exploiting downtime to drive the urgency. And we put that in the Threat Report. Happy to share that link as well. So you can put in the show notes if you'd like. I did talk to a colleague of mine, Ishmael Valenzuela. He's amazing. He's also an instructor at SANS. He works here at Arctic Wolf. He runs the Threat Intelligence team here at Arctic Wolf. And when I was talking to him, he said,

Mick Leach: I know I took a course from him. He was one of my teachers. Yeah. He's brilliant.

Lisa Tetrault: So the trends that are happening in cybercrime, like we're not seeing a lot of sophistication in the malware, but we do see a lot of novel ways and diversified ways to get in the door. And we kind of talked about that earlier, right? It's everything else seems to be the same, except, you know, the way they're coming in is getting a little bit more sophisticated with the social engineering side, right?

But as organizations have increased endpoint protection, attackers have to find ways around. And that's really the social engineering side. And I found that to be interesting. One little nugget he did give me, though, I will say, is that, and it was on a threat briefing that he just had, his team just had was ransomware groups are operating just like a business, like every other business. And there was one that he just shared, was they had actually a misstep with a victim recently and they blamed an intern. A ransomware group was blaming an intern because they had a miscommunication with one of their victims. So, I mean, they're all making mistakes out there, right?

Mick Leach: My gosh. I just can't get over the fact that ransomware groups have interns, right? There's an internship, right? There's always an intern screwing it up. Right. My goodness. That's hilarious.

Lisa Tetrault: They do. So they're not immune to having interns.

Mick Leach: My gosh, that's crazy. we've talked a little bit about what we're seeing. How are you seeing threat actors leveraging AI these days? And how are you staying ahead of it?

Lisa Tetrault: So I'm going to tell you the biggest concern is AI as a tool. It's democratized and supercharged the social engineering side of it. And it's really more targeted and bespoke social engineering that might have required nation-state resources in the past or now for ransomware gangs. And so we're continuing to focus on credential theft and comprehensive behavioral detection.

They've always been challenging, but it's more important than ever to really cover the entire attack surface and be able to collate and aggregate all of this data. like we're not seeing a lot of agentic AI end-to-end, but we are seeing parts of the attack chain being automated. That's what we're seeing. Like nation states, they have this whole strategy in collecting information and then finding zero days like in the infrastructure.

We see it on the phishing side where attackers are using LLMs to craft phishing attacks, but we don't see it right now on the malware side in its entirety to create AI. We see it as a tool, right? But not the full end-to-end attack. So faster, things are happening faster, of course, and there's more capabilities, but we're not seeing a lot from an entire end-to-end attack. Using AI. really, I mean, we're trying to stay ahead. looking for these patterns. We're using AI as well to catch this. And we're just sticking to the principles of understanding it, trying to protect as much as we can of an estate, of a customer's estate, and focusing where we can on catching what it is that we see.

Mick Leach: Okay. Now that makes sense. As some of the things that I'm doing, in fact, I think I missed you in Sydney. We were both there at roughly the same time and I missed catching up with you and I'm sorry about that. But I was there with my friend, F.C. I don't know if you know F.C., freaky clown, world-famous social engineering hacker, dead brilliant, I love him. But one of the things we were doing is, you we were showing how you can leverage AI to automate huge chunks of the life cycle, right? The attack life cycle and we were able to do that. to your point, even the actions on objectives, there are certain aspects. I haven't seen anything automated truly from end to end yet. Now, it's not today. It won't come. But we're not there quite yet either. So interesting. Awesome. So let me switch gears again just a little bit here into more like a SOC automation or SOC modernization here.

All right, so let me switch gears here a little bit and I want to jump because in our world, in security operations, especially, metrics drive everything. It's how we, you you can't manage what you don't measure, they always say. And so it's important that we capture metrics. So what metrics do you rely on and show the impact of the SOC services over there at Arctic Wolf?

Lisa Tetrault: Sure. OK, so there's a whole ton that you can look at. From a business perspective, you're always looking at net retention, customer satisfaction churn, and PSSLOs. And that's from an internal perspective, what I care about from a customer, if I look out into the business. But really, what I care about is, from a customer perspective, what I'm looking at is really critical asset coverage. I need to make sure I am looking at all the critical assets.

How am I performing for the customers? It's really near misses. How many times have I taken containment actions, active response actions for our customers? And really, the things that are value-add moments are things that I care about right now. So those are more difficult to quantify. But I think about the times that we have delighted our customers and things that we can show that we have and that we can do more of value. So when a customer tells us that we hit something out of the park, I care about that. When a SOC held out to us because we had a user download a malicious file and it was not intended to be downloaded and I was about to go to a meeting to justify the security spend and you just called me out of the blue.

And lo and behold, like that was the best phone call I could have had because I was walking into the meeting. Like that would be a value-add moment. And so like, I can give you all the SOC data. I can talk to you about the, how much we've automated plus the human overlay. Like I can talk to you about all of those things, but really I care about what is the value that our customers are getting from us because it doesn't matter at the end of the day, unless they're getting value. So those are the things that right now show me that we are doing the right thing by our customers today. But again, like the business metrics are all there. I mean, I can list them off. I mean, you can go to Chai GPT and say, are the right metrics? I probably have it. Like I got about a bazillion metrics in our portfolio. And each level of management has to worry about each different one. But like if I just distill it down to one metric or a couple of metrics that I really care about, it's like,

Of course, you care about compromises, of course, like all of these things and how could we have done better? But like, I really care about the value that we're adding to customers so I can do that more.

Mick Leach: Okay, I love that. So if I'm hearing you right, it's kind of transitioning the story to be less about the data itself and more about value and really make... so security leaders, this is an area where candidly we fall down to some extent where we don't do as great a job. We focus too much on all of the details, all of those numbers of the number of attacks and the number of investigations we performed, and our vulnerabilities, right? These are all data points we all track. Yes, of course you have to. But the real story is, what value did the security team add? What value did they provide to the company or to the customers at the end of the day? I love it, I love it. Okay, so we've covered a lot of ground. I've got a couple more areas that I really wanna tackle here.

You had mentioned you have this full built out incident response group as well. One of the things we talk about here on this podcast is a lot around storytelling and what happened, crazy stuff. So, how have you guys trained for threats that haven't happened yet?

Lisa Tetrault: Okay, so if I was talking to a general customer, I'd say ensure that you've got basic in-house cybersecurity training across the board and make sure everyone is on the same basic cyber hygiene training knowledge to, you know, reporting your phishing campaigns. And while this has its benefits, like tabletops, like could have like great exercises as it gets you prepared, it also identifies weaknesses, right?

But I really think that we have to consider the environment and the culture that we are instilling and growing within the company, right? If we don't have a safe environment to report when someone has made a mistake with an approachable IT team, a Slack channel where the team can ask a question that is safe to the security team or others, like a community of practice there. If we don't have that community of cyber safety, the company and rewarding it, then I think we're going to be challenged, right? Making it safe environment for people is really important. In the SOC, I think we need to ensure that everyone has the basic principles in troubleshooting. Do you know how to critically think? Do you have the basic tools to navigate the unknown? How would you navigate if an issue that you had faced was completely out of left field, right?

Who would you bring in in that situation? How would you collaborate? What's the process that you would follow? And like we have to start stretching the team members into that uncomfortable situation, which we do. And when they do that, all the things start to fall in place. Are they good with the tools that they have? Are they at their fingertips? Where was the contact switching? How could that have taken away? Was there an ego at play that we need to coach somebody on, right?

I have a team member here actually in Canada that anytime he finds something that he's never touched before, seen before, he stands up in the SOC, literally stands up and says, I found something really cool. Who wants to see this? Of course, we're already in a secured area, but it's because it's something new and he wants to show and teach other people, but he doesn't necessarily know what he's about to get into or see.

But it's because it's so unique and novel. It's an area that people can grow and learn and we can all get together and make it a community of practice to learn, right? And so to me, it's fostering that culture and that's what makes us all better, right? Do you have the skills? Do you have the capabilities? Do you have the framework? Do you have the safeties? Like to be able to do that.

Mick Leach: Yeah. Yeah. You know, for too long, at the risk of getting on a soapbox here for a moment, you know, I think the security teams have largely been sort of the department of no, no, you can't do that. No, you can't do this. No, you can't install that software. we wouldn't, we wouldn't do a great job of partnering with the business to understand the, you know, the aims. Why and ask questions. Why do you want to do this? What, what goal are you trying to achieve and better partnering with the different areas of the business and being a value add capability for the business. That's the goal for security at the end of the day anyway, is to help build the business and allow it to work more efficiently and more safely. And so I love everything that you're talking about here because I think that's really important is to ask those questions, create an area where it's okay to say, don't know.

Create an area where it's safe to say, hey, something just happened, or I even just did something. I don't know what I was thinking, but I did a thing, and now my computer's acting weird, or something happened. But when you create this adversarial relationship between the security department, especially SOX, and the rest of the business, what you're doing is shutting down lines of communication instead of fostering them.

Lisa Tetrault: Absolutely. I think even like CISA kind of led the way, right? And trying to be more informative and like a body of information. like when Jen Easterly was in office there, Like they even have CISA can run like tabletop exercises out there for businesses too, right? Like they're trying to change that persona that they have. And like we can all really take those, you know, brick walls down and start again, like you say, instead of saying the department of no, say the department of, you let me help you get there, right? It's about being more secure over and over and iterating, I think, over time. And I think over, like, it's all about just getting a little bit better every day, every day, just a little bit stronger, a little bit more secure. And I think over time, it makes a material difference.

Mick Leach: I love it. love it. Okay. I'm going to shift gears one last time and ask questions. One of the things we love to do on this particular podcast, there's undoubtedly someone listening going, my gosh, everything you're talking about is so cool. I want to work at, you know, Arctic Wolf or in cybersecurity or I want to go, I want to be the alpha, the alpha dog, the alpha wolf at the, at the next, offsite next year. How do I get there? So career advice.

You've been around a good long time. I've been around for a few minutes in the industry, whether it's, you know, certifications, is it formal schooling, right? Do you go to college? Do you just study on your own? Do you do and hack the box and, know, try hack me. What, works for you and what are you, what sets people apart at Arctic Wolf in terms of the folks you're hiring? What would you, what advice would you offer someone that says, I want to do this?

Lisa Tetrault: I think the best thing that we see come through is people that had the aptitude to learn, they put themselves out there, they go and they really try, they show up, they might be at a conference, volunteering even. We take on career pivots as well, that's another avenue in. Really someone with a passion of cyber and wanting to learn.

I don't know that we look for anyone specifically that is in a box, okay? Because that's not the perfect cyber professional. We care about people that can think critically. We look for people that are ready to take on a challenge, that have the right skills, capabilities, that are willing to grow, right? There's not a perfect person. It's the right attitude.

It's the right, you know, personality. I don't even know if it's a personality. It's really the drive. It's the drive and willing to show up in an environment and say, like, I don't know, but I'm going to go figure that out. Right. And as I said, it's like the person that put their hand up and say, you want to see something cool? You know, I just found this. And willing to teach each other and be team players. I think that's really the people that we're looking for here at Arctic Wolf.

You know, we're really striving to help customers get better in this environment and guide them. And, you know, this is really, we're a pack. And if you're not a team player, you're not going to make it, right? That's really what we are. So it's hard to say specifically what it is that we're looking for more than it's your aptitude to learn, your attitude and really your desire and passion is really what we're looking for. So it could be seven of 10 things versus all 10. But showing up and being ready to learn and eager and capable is really what we're looking for.

Mick Leach: I love that. Without even realizing it, you may have probably just encouraged a whole bunch of people because particularly as it relates to the box, right? You don't look for some, you know, defined formula of what makes up SOC Handless. You have to have had, you know, you have to come from the network space, you know, where you were a network admin, or you had to do these things before you can get into here.

You know, so many of my guests that come on this podcast talk similarly about, listen, there's no one route into cybersecurity and neither is it a straight line either. You know, many folks take all these crazy ways to get in and, then they're better for, for it.

Lisa Tetrault: That's right. mean, I have a substitute teacher that did a career pivot. I have an HVAC team member that came in through that path. We have electricians that came in and some of them are tier three analysts now. I mean, we also have traditional paths. you know, it's totally fine. And what we really like is when we can hire in cohorts, because when we put a traditional path with a non-traditional path together,

Mick Leach: Love it.

Lisa Tetrault: The way they think together and bounce ideas off of each other is incredible.

Mick Leach: Yeah, I love hearing that. It made me think one of the best stock analysts I ever had an opportunity to hire, Kurt Grossman, if you're listening, it's you, was a copier repairman. He had joined us. He had worked at Xerox for like 18 years and was in school taking a cybersecurity class and then ended up getting a degree in cybersecurity. He said, I want to try something new and I like trying to understand what the problem is and diagnosing the problem. was like, wow, that's, I mean, yes, it's very different. But to your point earlier, in terms of critical thinking skills, if you can break down the problem and work backwards from this is the problem, how do we solve that problem? The reality is a lot of that translates to a SOC. So anyway.

I love it, I love it, love it. Because that's gonna be really encouraging for folks that wanna get into what we're doing. Absolutely. Yeah, I mean, you guys hiring right now?

Lisa Tetrault: Yes, we are. Of course we are. There we go.

Mick Leach: As are we, as are we. So folks, if you're looking for a job and you come, come take a look. There's many others too. So this is a great, great place to, get, to get to work in cybersecurity. Lisa first, I just want to say thank you on the front end here. This has been so much fun, but I will ask you one last question. And it's simply this. We've had a great discussion. It's ranged all over the place as all of these discussions typically do. But if our, our audience can only take away one thing from our discussion. What would you have that be for them?

Lisa Tetrault: Hmm, what would I have them take away? I would have them stay diligent, right? And really each and every day think about how you can contribute back to the cyber world actually. This is an ever evolving landscape here. If you're still hesitant on the AI side, I think you need to lean in because this isn't going away. And I really think we all have to learn a little bit every day, but we have to be diligent out there. mm-hmm. Yep. Let's do it.

Mick Leach: Couldn't agree more. Couldn't agree more. Awesome. Well, Lisa, thank you so much for coming on the podcast. In terms of giving back, this is your way of doing that because I know how busy you are, and I know how important you are to the team over there at Arctic Wolf. And so I'm so grateful that you chose to spend some time with our listeners today. So wish you the very best of luck. I will see you, I think, next week in person, which would be great. Good to see you again. Yeah, of course.

And so, folks, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I am your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe, and check out our other SOC Unlocked episodes. We'll see you all next time. Thank you.