Menu

ScotlandIS

building, supporting and enabling the digital technology ecosystem

  • 0
Join Today

Cyber Pulse: Member Voices on Cyber Security

Posted in Member News, ScotlandISCyber, Case Study By updatesPosted on

A Conversation with Brian Stewart, Senior SE, Scotland at Arctic Wolf.

How did you get started in cyber security and what has kept you in the field?

I joined Arctic Wolf as part of their continued international expansion into EMEA, initially covering Scotland & Ireland then became dedicated to Scotland as we’ve continued to grow at a relentless pace and hired another dedicated team for Ireland.

Day in, day out I work with customers to achieve their desired cyber security outcomes and dramatically improve their security posture through the adoption of Arctic Wolf solutions and Concierge service. I’ve built a wealth of experience in Enterprise IT from over 20 years working for leading technology Vendors, Channel Partners and customers in roles across Systems Engineering to Consultancy & Technical PreSales. All of my roles have involved elements of cyber security, so it was great to focus fully on it when our now RVP of PreSales across UKI & BeNeLux – Nick Dyer – head-hunted me into the role following us working together previously elsewhere.

I stay because our customers love us and are happy to spread the word to others, which helps greatly in our mission statement to ‘End Cyber Risk’ through focusing on human expert-led outcomes rather than tools with our customers and it gives me great pride and immense satisfaction to hear their feedback on how we shielded them from XYZ’s latest attack and that their experience of our service has
been exactly as described before they joined us.

The Current Landscape

What is one cyber security challenge or trend you are currently seeing in your sector?

Identity is the new perimeter. Adversaries increasingly target users and service principals (MFA fatigue, token hijacking, malicious OAuth, legacy protocols) and exploit SaaS sprawl. Operationally, this is a 24×7 problem: 51% of alerts occur outside business hours – so ‘9-5’ coverage leaves a gap [1][4].

How is this issue showing up in practice for your organisation or clients?

We often see a single credential issue or phish lead to mailbox rule changes, session/token theft and privilege escalation in cloud admin planes. When direct intervention is required, it’s mostly identity‑centric – 72% of our containment active‑response actions involve identity (force sign‑out, revoke tokens, disable accounts) [2]. Early detection helps ensure the majority of investigations are contained at initial access; recent summaries indicate ~2% of 9,000+ investigations become confirmed threats [6][7].

Response & Lessons Learned

How are you or your team responding to this challenge?

We operate on outcomes over tools: 24×7 monitoring and threat hunting across identity, endpoint, network, cloud and SaaS; hardening security posture baselines (phishing‑resistant MFA, Conditional Access, device compliance, least privilege) in our proactive Concierge work we do with all of our Security Operations customers, along with vendor-neutral detection and response playbooks developed at scale for rapid containment of incidents we see across our 10k+ customers. We operate the world’s largest commercial SOC – AI handles volume and initial triage at our cloud platform level as we ingest and enrich security telemetry data in real-time, whilst human experts validate context and respond to anything flagged to our SOC triage board for investigation. For example, our ‘Alpha AI’ triaged ~10% of alerts and eliminated 860K+ manual reviews, accelerating response without replacing analysts or engineers – instead being able to efficiently use their time to focus on cases where human expert led investigation is key. [1][2][4].

What is one insight or lesson you have learned that others could benefit from?

Signal quality beats tool quantity. Turning massive amounts of security telemetry into a small number of high‑fidelity alerts – e.g., reducing 330 trillion observations to only millions of alerts (one alert per ~138 million observations) creates capacity to lower risk with faster MTTD/MTTR and operate with industry-leading service levels and CSAT ratings [1][4].

What is a common mistake or misconception organisations have when dealing with this issue?

Relying on Endpoint tools alone. Without identity, network, cloud and SaaS telemetry – and the ability to act fast on those signals – attackers route around controls. Another misconception is that AI replaces analysts and engineers; public materials emphasise humans + AI is the best solution, where AI reduces noise and human experts provide judgement and direct intervention [1][2].

Leadership Perspective

From a leadership standpoint, what should executives and technical teams be
aligned on when it comes to cyber security?

Agree risk appetite and recovery objectives, name your crown jewels you absolutely, positively need to protect, and pre-define who the decision‑makers should be during incidents. Fund to those outcomes with sensible KPIs around things like MTTD/MTTR, phishing compromise rate, privileged‑access reviews and remediation SLAs – and recognise that half of security alerts land after hours, so your operating model must be genuinely 24×7 [1][4].

What is one small but meaningful action organisations can take today to improve their security posture?

Enable phishing‑resistant MFA for all privileged identities, disable legacy authentication, and alert on suspicious inbox rules. Pair it with continuous monitoring so after‑hours activity is covered. These directly blunt today’s most common identity‑led breach paths [1][2].

Looking Ahead

What emerging threat, technology or trend should organisations be paying attention
to over the next 6–12 months?

Identity Threat Detection and Response (ITDR) becomes table stakes as social‑engineering and token abuse continue to rise. Expect more AI‑assisted phishing (including voice cloning) and increased SaaS/third‑party blast radius; focus on mapping trust relationships and minimising privilege across identity and SaaS – not just Endpoints [1][3].

Is there something in cyber security you think is currently under- or overestimated?

Overestimated: AI as a silver bullet – it accelerates both sides of cyber security – attackers and defenders. Underestimated: comprehensive identity/SaaS logging and routine attack‑path reviews that strip unnecessary privilege before an incident, not after [1][2].

Quick Fire

Favourite cyber tool right now: Arctic Wolf Aurora Endpoint Defense – it’s revolutionary because it uses a veteran predictive-AI model (trained on vast data sets over many years) on Endpoints rather than being signature-based like the rest of the Endpoint tools favoured by the industry up until now. This means higher efficacy across attack types with lower system resource utilisation from the elimination of constant scans and signature file updates. Of course I’d also highly recommend it’s managed by us to ensure the outcome of optimally protected Endpoints, alongside our broader Security Operations service monitoring telemetry from across our customers’ cyber attack surfaces to spot the early signs of an attack long before anything reaches Endpoints.

One resource you recommend (book, podcast, report): Our ‘Making Security Work: The Shift from Tools to Operations’ on-demand webinar available here.

Someone in the industry to follow: Ismael Valenzuela – Vice President Labs, Threat Research & Intelligence at Arctic Wolf.

Final Thought

What is one thing you wish every organisation understood about cyber security?

Cyber security is fundamentally an operations discipline. Tools help, but it’s the 24×7 monitoring, rehearsed response and continuous improvement that create resilience and the metrics should show it [1].

Sources & Attributions

[1] Arctic Wolf press release: ‘2025 Security Operations Report Reveals Threat Landscape Acceleration, Majority of Security Alerts Now Occur Outside Working Hours’ (Sept 16, 2025) – https://arcticwolf.com/resources/press-releases/arcticwolf-2025-security-operations-report-reveals-threat-landscape-accelerationmajority-of-security-alerts-now-occur-outside-working-hours/
[2] Cybersecurity Dive coverage: ‘Context is key in a world of identity-based attacks
and alert fatigue’ (Sept 16, 2025) – https://www.cybersecuritydive.com/news/threatmonitoring-context-false-positives-report/760237/
[3] Webinar page: ‘Inside the 2025 Security Operations Report’ – https://arcticwolf.com/resource/aw/inside-2025-security-operations-reportwebinar
[4] Syndicated press release coverage (e.g., Markets Insider) echoing key stats –
https://markets.businessinsider.com/news/stocks/arctic-wolf-2025-securityoperations-report-reveals-threat-landscape-acceleration-majority-of-securityalerts-now-occur-outside-working-hours-1035151487
[5] Report landing page: ‘2025 Security Operations Report’ – https://arcticwolf.com/resource/aw/security-operations-report-2025
[6] LinkedIn summary referencing ‘Only ~2% of 9,000+ investigations confirmed threats’ – https://www.linkedin.com/posts/wayne-feyer_arctic-wolf-networks-justreleased-our-2025-activity-7375949609380036608-BFmx
[7] Tradepub listing referencing key stats (51% after-hours; 2% confirmed threats; 860K+ manual reviews) – https://www.tradepub.com/free/w_arcf43/

Scroll to top
X