“We’re at that point where we’re in a car that has the ability to work autonomously, but we’re holding the wheel. Now, will it become autonomous at some stage? Maybe. But you’ve got to be absolutely sure that it’s going to behave correctly and be safe to let it make its own decisions.”
In an exclusive interview with Expert Insights at ESET World 2025 in Las Vegas, ESET’s Tony Anscombe discusses how MDR can help close the cyber skills gap and consolidate security, how security providers are incorporating AI into MDR, and the balance between human and tech-centric security.
Note: This interview has been edited for clarity.
You can also listen to this conversation over on the Expert Insights Podcast here.
Q. Many organizations are struggling to find and retain security talent with the cybersecurity skills gap. How can MDR help IT and security teams bridge that gap and strengthen their defenses?
A. That’s a really important question. Just in the US alone, there are around 400,000 jobs at any one time advertised for cybersecurity, and there are about 200,000 candidates. So, there is your problem: even if all the candidates got a job tomorrow, we’re still 200,000 people short here in the US. If you look at the globalnumbers, we’re about 3 million people short.
So how does MDR fit into that? Well, if I’m a big business, I might have big salaries, I might be able to keep a lot of people engaged, I might be able to afford to pay them, I might be able to rotate their careers through different parts of the organization to keep them interested, etc. But if I’m a medium-sized or smaller business, I’m going to struggle to find the right people and the right talent. And once you step down further into local government or school districts, that’s going to become even more challenging again.
In small businesses, it’s a huge issue, which is where MDR plays a role. So, if you want to use what I define as a “modern cyber security product”, such as EDR or XDR, you use a managed version of it and have an expert monitoring it and actually running it.
Q. Another big challenge security teams are facing is the constant pressure caused by alerts and false positives. How does MDR improve signal-to-noise ratio and help teams focus on real threats?
A. I’m going to answer that in two parts. There’s MDR and there’s EDR. If you’ve got an EDR in place, you want some form of intelligence within the management system of the EDR that’s going to prioritize alerts and tell you which ones you need to address first. Now that’s much the same when you move to MDR. The difference is, the MDR provider may well be answering the priority alerts for you.
Say for example, it’s Friday night. We should be heading towards the pub. But your EDR system pops up and says there’s some suspicious activity on a machine on floor three. An MDR provider would actually isolate the machine, so when you come back into work on Monday morning, it’s isolated and ready for you to investigate what went on. So, it’s answering the critical alerts in real time when you’re off enjoying your weekend.
You often hear of cyber security people getting fatigued because of the number of alerts. MDR takes that pressure off.
Q. I liked your point about being stopped from going to the pub by an attack coming in —attackers don’t tend to wait until we’re back in the office!
No, they wait for you to get to the pub and have ordered the pint! That’s the problem. But it’s more than that. Going back to the first question you asked about the skills gap, MDR does the grudge work. If you outsource the things that aren’t interesting, it means your internal team only investigate the things that are interesting. That helps with the skills gap issue because you’re retaining staff, because they’re not getting into all those mundane alerts that the MDR provider is taking care of.
Q. One of the big topics at the show this year is AI. How is ESET incorporating AI into its MDR services, and what problems is it solving?
A. Inherently, there’s AI throughout the entire product suite, because if you think about the concept of EDR, it’s taking huge amounts of data—all the traffic or the processes running on a device etc.,—and it’s crunching that down. Put 5,000 devices in the mix, and there’s no way any human could look for the anomalies that might be happening on that network.
Once you get into the management, it’s about that prioritization and using automated alert systems and automated responses based on the patterns that you’re seeing.
We have an AI system looking at the alerts as they come through and looking at the severity and making a decision for you. And if the EDR system is set up to respond correctly, some of these responses should be automated; the system should say, “That’s suspicious; we’ll isolate that device.”
Q. There are still some differing opinions on how much AI should be incorporated into these types of solutions. In one of the keynotes earlier today, there was a statistic that 54% of organizations would be happy to not have a human look at the investigation before it’s closed. On the other hand, there are a lot of people still very concerned about AI. So, how can security teams set realistic expectations around what it’s going to achieve for them, as well as break down some of those concerns?
A. Let me answer your statistic question first. Without understanding what’s behind that statistic, who was asked, and what size business it was; if I take a hundred organizations and put them in a room, 95% of them will be small businesses. If I ask a small business owner whether they want a human looking at cybersecurity alerts or the machine to do it for them, they’re going to be focused on running the business. So, they’re going to answer and say, “I’m quite happy for the machine to do it for me.”
But I think it’s important to have human interaction behind it. You might see things as a human that are different. You might look at something and see that, actually, that is a false positive, or that’s not a false positive, or there may be a reason behind the alert that’s being raised, such as somebody travelling in the business. Where the AI is working off data, it doesn’t have those outside cases that the human might well know or be able to digest in a different way.
To give you an analogy, we’re at that point where we’re in a car that has the ability to work autonomously, but we’re holding the wheel. Now, will it become autonomous at some stage? Maybe. But you’ve got to be absolutely sure that it’s going to behave correctly and be safe to let it make its own decisions.
Q. Looking to the future, do you see AI playing a bigger role in attack detection as we see an increase in AI-driven cyberthreats?
A. For a company like ESET, threat detection has already been there from an AI perspective for a long time. We started using neural networks back in 1997. To put that in perspective, OASIS released “Be Here Now” in 1997!
And it’s been a progression. If in 1997 or even the early 2000s, some security company had turned and said, “We’re now trusting our security to AI,” you can imagine the world would have run away from that company for the hills and looked at other products, because nobody would have understood it.
But today, everybody wants it in everything. And it’s inherent throughout our technology; it’s in most of our detections, and it’s in our management.
Q. How else do you see MDR evolving in the next 3-5 years?
A. I think MDR will become way more normal over the next two or three years for a lot of smaller businesses. As XDR and EDR technology become more of a requirement for medium-sized and smaller businesses, the only way I believe they can really run it is as a managed service, because of the skill shortage there.
Also, a lot of companies will look to mitigate financial risk. If a small business has a data breach, they probably go out of business. So, when you’re trying to mitigate that financial risk, you’re going to take out cyber risk insurance or business disruption insurance, and they’re going to require you to have a modern cyber security architecture to reduce their risk—at which stage, you’re going to end up with MDR.
So, I think these services are going to grow and grow, and it’s actually going to be pushed not from a cybersecurity perspective, but from a financial risk perspective. It’s going to be driven by the CFO wanting it, as opposed to the security team.
Q. For organizations considering MDR but unsure where to start, how can they get started on that journey?
A. Firstly, you’ve got to decide what it is you want to protect, and then you need to look for a provider that can actually protect what it is you’ve got. Many organizations don’t understand their assets to start with, so that’s a good place to start. And then it’s about talking to the provider and making sure that you have that comfortable feeling with them, and a trusting environment.
Thank you to Tony Anscombe for taking part in this interview. You can find out more about ESET’s MDR solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.
For more interviews with industry experts, visit our podcast page here.
