The Merlin Group’s CMO Stephen McCarney Discusses Zero Trust Modernization for the U.S. Government, Managing Cryptographic Assets, and Compliance

Stephen McCarney, the Chief Marketing Officer of the Merlin Group, shed light on how innovation and exploration of new technologies take place at the company’s lab, aptly called a “playground for disruption.”

He expressed concern over the misuse of quantum computing in the future for data encryption and a better approach to have customers test tools before investing in them. 

Adversaries are relentlessly trying to disrupt security, and the Merlin Group is prepared to fight cybercrime with the U.S. government. This is reflected in the spirit embodied by McCarney who reiterated the importance of trust among the sales team who take the solutions to the end users and make difficult details understandable.

Read the full interview to know how the Merlin Group is working with the U.S. Government and critical infrastructure markets to fortify security and the role of authorizations such as FedRAMP.

1. Please share your journey so far, including your strengths and weaknesses and how you handle challenges at work. What are your winning traits as the Chief Marketing Officer of the Merlin Group?

My background is rooted in working with small and large technology companies seeking novel approaches to accelerate growth. Every company I work with is at a different stage along the growth maturity spectrum – some are early stage still seeking product market fit; others are very matured and are seeking ways to reinvent their brand and identifying areas to invest in new growth.

The common thread of my journey is working with senior leadership to accelerate growth and scale. For nearly two decades I worked mostly with SaaS companies in the cybersecurity industry, helping to map innovative security solutions to market needs, create/define new security categories like SASE, and rapidly driving companies forward.

I joined Merlin more than five years ago, during a time when the founder wanted to re-imagine the business. Merlin had successfully been in business for more than 20 years when I joined the company. We formed and launched Merlin Ventures, centered our focus on cybersecurity with Merlin Cyber, and also formed and launched Constellation GovCloud (which today is simply CGC).

I believe my strengths coming into Merlin included broad and deep knowledge and understanding of the cybersecurity industry and tangential areas (cloud, AI/ML), which enabled me to work across the landscape of early-stage portfolio companies and large best-in-class cybersecurity partners.

I also believe my holistic enterprise approach to transformation and growth enabled me to rapidly operationalize changes to infrastructure, processes, systems, etc. to reduce time to value. One of my greatest challenges has been managing so many tentacles and dedicating the necessary time and focus to each.

2. Could you outline the main solutions offered by Merlin Group’s affiliates, namely Merlin Ventures, Constellation GovCloud, and Merlin Cyber?

Merlin Ventures is the venture capital fund of Merlin Group. We invest in seed stage cyber companies and help them scale. We have an office in Tel Aviv, Israel, which is where a lot of cybersecurity innovation comes from.

CGC is the compliance acceleration and market readiness affiliate of Merlin Group. Our platform accelerates NIST-based compliance such as FedRAMP and StateRAMP for SaaS companies and helps them unlock massive growth markets that are highly regulated, e.g. federal government, critical infrastructure.

Merlin Cyber is the go-to-market and Zero Trust modernization affiliate of Merlin Group. We represent best-in-class and emerging technologies to deliver technically-vetted, public sector-ready solutions to the U.S. Government.

3. What are some of the solutions offered by Merlin Cyber? How does the Merlin Cyber team approach the U.S. Government with regard to modernization tools and services?

Solutions offered by Merlin Cyber focus heavily on Zero Trust Modernization for the U.S. Government. Particularly given recent mandates to drive efficiencies, Merlin Cyber provides comprehensive solutions that advance Zero Trust Architectures with tools that are proven to work together.

For example, identity cryptographic posture and vulnerability management is a priority for the U.S. Government, as called out in OMB Memo 23-02 and other directives that require agencies to take a comprehensive inventory of all of their cryptographic objects.

However, most government agencies do not have the capability to easily do so, often relying on spreadsheets and realizing that they do not know how to wrap their arms around all of their cryptographic objects, let alone understand the risk disposition of them.

This is just one example where we have a solution designed to help agencies easily discover, inventory, and manage all of their cryptographic assets. This is the first crucial step to help agencies close critical vulnerabilities before they are exploited, and become agile in their cryptography management to become post-quantum ready.

Cryptography is the underpinning upon which all of Zero Trust modernization rests.

4. Could you provide more details about GTM sales and marketing executives? What sets them apart from executives who work for other companies?

Our GTM team is comprised of seasoned executives who know the market and the customer exceptionally well. As cool as technologies are, sales and marketing always comes down to a one thing – trust.

Trusted relationships are what we value most. We hire exceptionally bright executives who have lots of experience and are customer-obsessed. We seek out team members who enjoy moving very quickly, thinking of novel ways of approaching challenges, and are extremely reliable.   

5. How are new tools and technologies tested in the Merlin Group’s Innovation Lab? How is the innovation lab equipped?

Our lab is a proving ground for the U.S. Government and other critical infrastructure markets or what I like to call a “playground for disruption”. Our team of cybersecurity architects and engineers bring various technologies into the lab and test them.

More importantly, they explore how different technologies could work together. Through the lab we discover really interesting, often complex use cases that can be addressed by unique combinations of technologies.

Customers appreciate this proving ground because it replicates their environment and they can actually see how technologies would work before taking the risk to purchase and deploy in their infrastructure/environment.

6. Could you share insights about the cryptographic inventory and posture management services provided by the Merlin Group?

Sensitive data is being exfiltrated by adversaries at an alarming rate – they are retaining the encrypted data for when quantum computing matures to the point where all the data could be easily cracked.

In essence, I like to refer to this as we are witnessing one of the largest zero day attacks in the making – but many people still don’t appreciate the risk today, especially given successful compromises like Storm 0558 and many others that leverage exposed or unmanaged keys.

The first step organizations must take is to know what the dispositions of all of their cryptographic assets are. This means they must first discover and inventory their cryptographic assets. Merlin Group provides this capability for the U.S. Government through InfoSec Global’s AgileSec Analytics platform.

Merlin Group had invested in InfoSec Global, is accelerating FedRAMP authorization for the solution, is instrumenting into the CGC cloud to deliver cryptographic posture management-as-a-service, and has facilitated integrations with very large, established technology providers to extend new capabilities and simplify adoption of them.

7. Are there more companies approaching the Merlin Group now for compliance related services like FedRAMP and StateRAMP authorization keeping the increased rate of cyber attacks in mind? Can you share your observations about it?

Yes. Years ago, the U.S. Government used to be the hotbed of innovation. However, today, most R&D sits in the commercial market, requiring the U.S. Government to look to the commercial market for groundbreaking innovations.

However, all SaaS technologies must be FedRAMP-authorized in order for the U.S. Government to use them. Over the past 12 or so years, only around 400 SaaS technologies had achieved FedRAMP Authorization.

There are tens of thousands of cyber technologies – this was the reason we created CGC, to ultimately accelerate access to innovation. We do this by removing the seemingly insurmountable cost and time friction associated with pursuing FedRAMP/StateRAMP.

Today, more and more companies recognize that achieving such authorizations delivers immense enterprise value by helping to unlock new growth markets while also equipping them with a competitive advantage.

8. Merlin Group collaborates with over 300 CISOs to help partners with product roadmap insights and customer acquisition strategies. How is this service different from having in-house CISOs?

We believe in building communities and ecosystems that, when brought together, deliver a flywheel effect of value. This is also true for our CISO community. Each member of the community brings his/her unique perspective to the table.

These perspectives drive immense value to us and to others in the community. If we were to merely focus on in-house CISOs, I’m afraid we’d be severely limiting the executives as well as ourselves.

We prefer to take a very collaborative approach to business and welcome fresh perspectives from across companies and industries. Our community is comprised of executives from commercial and government markets.