ARN

AC3 invests in cyber security to power next growth stage

Doubles down on security offerings for Microsoft.
Damien Luke (AC3)

Damien Luke (AC3)

Hybrid cloud specialist AC3 is hedging its bets on cyber security as it prepares to fuel its next stage of growth throughout 2023. 

The Sydney-based Microsoft and Amazon Web Services (AWS) partner currently has a number of open vacancies for its “massively growing” cyber security practice, which it launched two years ago. 

Now, under the leadership of Damien Luke, AC3 is preparing to double down on its security investment as it aims to grow its security customer base. 

“We saw a strong need to specialise in [the security] space,” Luke told ARN. “It initially started with our customers, and we realised it was an important market for us to be in. 

“The threats our customers are facing required us to double down on this and maintain this specialist capability. It also works well as both a service provider and a managed security services provider (MSSP). It gives us an edge that many of our friends in the market don’t share.” 

As head of AC3’s 16-person cyber security practice, Luke is responsible for both the company’s internal security and external security offerings.   

Although 60 per cent of the work is currently internal, Luke expects the external arm to grow rapidly, especially for Microsoft’s security solutions. 

“We do have a range of offerings, but going into next year, we’re very much doubling down on our Microsoft capability,” he said. 

“This is based on our existing relationship with Microsoft, but also because they have built a lot in the last couple of years, including Sentinel. They have a very mature product offering and it’s easy for us to have a discussion with the customer about it, as they will already have Microsoft 365.”  

Currently, AC3 is a solutions partner in security, infrastructure, digital and app innovation and data and artificial intelligence under Microsoft’s new Cloud Partner Program. 

It also has advanced specialisations in cloud security and Windows server and SQL server migration to Microsoft Azure. 

In addition to building AC3’s Microsoft security practice, the cyber security arm works with AC3’s consulting team around uplifting companies’ security posture, “making sure programs are effective, alongside security operations such as monitoring environments and incident response”, Luke said.  

To ensure its customers are fully safeguarded, AC3 runs a security operations centre (SOC), which operates 24/7 from Sydney using an on-call model. 

While some MSSPs choose to run SOCs overseas, where the workforce is cheaper, others may work with a vendor to leverage their SOC. 

However, Luke is adamant that AC3’s SOC will remain in-house and in Australia.

“We built our own SOC because we didn’t want to be tied into a certain vendor,” he explained. “We provide that service across multiple vendors, which gives us a key differentiator.   

“Data sovereignty is extremely important to us, so we must provide our customers that assurance that all their data is housed in Australia. That’s a huge value proposition for us in the market.” 

Data sovereignty also gives AC3 a significant in-road with working for some of the federal government’s most classified material. 

Its public sector credentials were also recently bolstered by gaining membership in the Defence Industry Security Program (DISP), effectively giving AC3 a security clearance to work on certain contractual projects.  

“We’re definitely seeing customers asking us how to protect their data, and to do that they need to have certain controls around it,” Luke said. 

Additionally, since news broke around Australia’s two most high-profile cyber attacks in its history – Optus and Medibank – Luke has been inundated with concerned customers over their data protection. 

“It feels like I’ve spent the last few weeks doing nothing but talking to customers about their security posture,” he said. 

“We have seen a huge uptake in people looking for penetration testing in the market; they want to see what their external attack surface looks like. Customers are also working with us around assessing their security controls. Things like Essential 8 are coming up more and making sure customers have fewer processes in place.” 

Looking ahead to 2023, Luke anticipates another busy year for AC3 as it attempts to gain further specialisations with Microsoft, including cloud security and threat detection. 

“We are definitely going to keep investing in Microsoft security, building out our coverage, capacity and capabilities there. We want to make sure we have that strong run rate there.  We are going to invest in building out our platform and our DISP. 

“We would advise any customers now to have effective back-ups. Customers should work with security partners too if they don’t have the capability in-house.”