Ep 24: How AI Augments the Future of Autonomous Cybersecurity with DXC Technology VP & Global CISO Michael Baker

‍Evan: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Mike: And I’m Mike Britton, the CIO & CISO of Abnormal Security. Today on the show, we're bringing you a conversation with Michael Baker, Chief Information Security Officer at DXC Technology. DXC is a global IT services leader, providing infrastructure, consulting, and cybersecurity solutions for nearly half of the Fortune 500. With 125,000 employees operating across 70 countries, DXC delivers a vast portfolio of managed services.

In this conversation, Michael discusses how DXC manages its massive attack surface, the role of AI in automating SOCs, threat hunting & vulnerability management, and the future of AI-enhanced cybersecurity.

‍Evan: Well, Mike, first of all, thank you so much for taking time to join us today. Uh, do you want to share with our audience a little bit about DXC and maybe what your role is today and love to hear like, how you, how'd you get to where you are? 

Michael: Oh, yeah. Well, thank you for the opportunity first and foremost to be on this. Um, this is our second conversation with this team. I'm always excited to, to join you, um, and, and have this talk, but you mentioned Mike Baker, I'm the global CISO for DXC technology. 

So DXC, if you don't know us, we're a rather large, uh, global technology provider, right? We do normal infrastructure stuff. I mean, we've been doing that for a very long time.

We do consulting and engineering. We do app development. We do insurance software, BPS, and we actually have a really large security practice that's out there as well. A significant number of practitioners, like three and a half thousand security experts at DXC, assisting something like 200 clients, uh, writ large in general is we service about, uh, 200 of the Fortune 500 here with their technology needs. So very excited to be kind of operating at the scale of DXC. 

How I came about getting here and what my responsibilities are quite simply as a global CISO is just protecting, um, you know, not only DXC's sense of data, but our customer sense of data, end to end. Uh, which is really interesting and I'm sure you have the same challenge, you know, over there at Abnormal, which is, Naturally, we have an enterprise environment which deals with our sensitive business information. All the services that our employees use, we have about 125, 000 employees globally. Um, how do we secure those services? How do we secure DXC sensitive data, you know, for use by by our company? 

And then finally, you know, on the other side, we have kind of our offerings and what we do to deliver all the services I just mentioned, you know, to those customers globally. And so there's a whole other side of the house there as it relates to, you know, the data centers that we set up to house our customers data, those services that we that we're leveraging. We also have managed and shared services that are out there that's providing value to our clients every day. So on that side of the house, I also have a responsibility to really understand how we are protecting those really to protect our customers data and do the right thing by our customers. So, um, it's a, it's a big responsibility, but it's one that, um, gets me fired up to come to work every day. So it's really exciting.

Mike: I don't know that everybody appreciates the size and scale of DXC's business, but, you know, what are maybe some unique cyber security use cases there that, you know, our average listener may not truly appreciate?

Michael: Well, I mean, I think you just, you, you nailed it on the head, size and scale, something that I came to DXC to really experience and manage and learn and grow myself and boy, I got it. Um, I don't know the exact figure, but we have the, one of the largest IP address spaces in the world. At some point years ago, they told me it was like the seventh largest, but there's been obviously a lot of movement there selling, you know, and deprecating or bringing new stuff on, but an extremely, extremely large attack surface.

And that's something that was very new to me. Uh, attack surface management has been a buzzword for the last two or three years. That really means something here. And it means something, not just in an enterprise context, the traditional CISO is in an enterprise, right? You make a product and you, you protect those systems that help make the product or do whatever.

But I think you can probably empathize as a SaaS company, CISO or, or a technology provider like us, the SaaS and PaaS elements is that dividing line is incredibly gray on where that attack surface is. So it could be a customer owned environment that's registered on behalf of DXC. It could be a managed environment that we manage at least in some form or fashion. It could be an enterprise system. 

The reputational protection doesn't stop at that demarcation line. It's not that it's not that great, right? So, you know, my biggest challenge here is, Really leaning in understanding the business. Understanding the nature of how we deliver our technology services And once I can figure that out, I can assess a risk not just real risk to data, but also reputational risk to the company, which is very very , very fluid, so that's on one side.

And then on the data side, it's even harder, right? Because you look at data, like data drives everything that we do in cyber. Like if it isn't for the data, you know, what is sensitive data for a broad technology company that's global and scale with 125, 000 people across 60 countries, that services any number of industries, like, you know, we're doing a bunch of great AI stuff with like the automotive industry. We, you know, we have a lot of healthcare. We do a lot of stuff with like airlines. What is sensitive to one industry or regulation without one industry doesn't necessarily translate to the other one. So like the data issue in terms of sensitivity and what you're protecting, how you're applying investment to the data that matters the most to the company, isn't as straightforward as I would say some other companies.

Mike: Something we always like to hear from our guests too, is like, how do you feel AI and generative AI are really changing the security workforce of the future is obviously all jobs aren't going to go away. It's going to make us a lot more effective, but you know, when you hire that next wave of, of security, uh, talent. What are you indexing on? What, what are you kinda looking at? 

Evan: And maybe one thing to add on there too is like, um, it was good for the cloud, right? You know, we had like, you know, kind of, it was like a slow rollout in the grand scheme of things, right?

It was like five, 10 years. And we're kind of, you're still trying to figure out how to like set up the cloud perfectly now. But with AI, like things feel like they're changing like 10 X faster. Right. And the technology was brand new last month is now obsolete next month. And so, Yeah, like, yeah, love to hear how you think about, you know, Mike's question was great, like, you know, what are you looking for, but also how do you see the future of the, even the org chart changing, right? 

Naturally, like AI is gonna remove some tasks from everyone's day to day work. Um, yeah, I'd love to hear how you think about that kind of getting the company ready for like that, whatever the AI future is.

Michael: Do you remember that old saying, like, security guys who are like, did not want to go to the cloud and they're like, it's just someone else's computer, like the 2016-17 phrase? Like, I think we have a lot to learn from that, is I think cyber people, cyber practitioners in the early days of cloud were like the force of no, they were, oh, we're going to hold you back. Like, I can't, they couldn't even fathom the shared responsibility model, let alone build to it. And govern it. Right. 

Um, but I think like, that's the lesson of AI now. See, here at DXC, like we take a more, uh, innovation centric approach to AI, right? I think there's some, there's some people out there, and it's context dependent. It's company dependent. I get it. But it's like, we give.

I want our employees to experiment with AI to augment the business and drive business value clearly with guardrails around because data is the key, right? Is it going to protect our data? Is it going to put our data at risk? Where is that data going? Do we have governance in place to figure that out? 

And so we've tried to put here at DXC, those guardrails, because again, AI is our business, right? Like, like we are, we're delivering AI in patient care. We're delivering AI in automotive, like. We are delivering AI solutions right now to customers. And the worst thing I could do as a global CISO is say, Whoa, whoa, whoa, whoa, whoa. Don't experiment with that. Don't innovate. Don't do that. And put a blocker up. So we've really tried to one, harness that innovation kind of culture here with AI, because if we're going to learn our lesson eventually, it is coming.

Evan: So Michael, let's talk about a little bit, right? Like, you know, AI is a, you know, very powerful technology. All technologies are tools and tools can be used for good or evil. And historically, the bad guys are a little faster adopting some of the, you know, the, the new tools, right there that are available.

So how do you see criminals, you know, taking advantage of this and, you know, what do we have to be looking out for? What are areas we need to be, you know, kind of, getting ahead of, right?

What are areas that maybe matter, matter less, right? Attackers shift some of their techniques. Um, you know, what do you think there? 

Michael: I think we're seeing the tip of the iceberg right now, right? We're seeing kind of the democratization of malware development. Right. Clearly AI is enabled, you know, coders everywhere. We can basically have citizen development of malware. Uh, so we're seeing that come about, but I know people are keeping pace with that.

You know, we're seeing right now, like, just an explosion of what I would say would be AI crafted, highly personalized phishing emails. Multimodal sort of phishing emails, business email compromise going through a bunch of different modes. And I think AI is just making that harder and harder to spot, um, you know, through email, but also it's not, it's not even just through email, right?

I mean, we're seeing it. I think I said multi modal or multi channel, right, which is we're seeing it through WhatsApp, we're seeing it through text, we're seeing it through email, um, and it's all coming. And then you think about how has AI augmented the speed and velocity that the threat actor can actually send those out in such an intelligent, personalized fashion.

Um, yeah, that's very scary, right? I mean, business email compromise has been around for years, um, and it's something we've been fighting. Like, you're always fighting that, um, but I just think about the volume. Um, I think about the volume of being able to do it. We can't be like, you can't train people on, look for the misspellings anymore. It just doesn't happen. Right.

They speak like your CEO, they speak like your CFO. The deep fakes are coming as well. They're a little rudimentary still, but that's going to go away soon. Um, so we always come back to that human element, which, which is nervous.

Like we got to augment it with technology, but it seems like we took a few steps forward, but AI, just the weaponization of it, we're seeing it here and there mainly for fraud and, or, you know, account takeover and stuff like that. 

Evan: So that's almost like the, like, if, you know, if we were naive criminals and we got access to ChatGPT, right. Some of the, what you described would be like our first, to the first most obvious application of technology. Um, what do you think is coming up next? Right? You mentioned deep fakes, right? Like, um, you know, if, if you, you know, just the technology is accelerating so fast, right? I know some of the deep fakes are kind of mediocre today, but it's not, it's not hard to imagine a world a year from now, maybe two years from now, Where, you know, there's some deep fake person joining this, you know, podcast and it looks like someone we know and sounds like someone we know. And it's hard to imagine how you do business in that future world where you can't trust all the digital communication. 

So yeah, where do you think this takes us? Like, what do we do about it? 

Michael: Well, you gotta fight AI with AI, right? You gotta take the human out of the equation. We just talked about it. Like, I'm happy to bring more humans in, but when you look at like the future, you're really talking about completely taking them out. Not up and down the chain, obviously it was within reason, but when you look at analyst level jobs, like how can we upskill analysts to jobs that require the human brain?

And as it kind of develops over there, that decision making has become much more advanced. So I just kind of see it as how are the AI models defending keeping pace with the bad guys. But like what really scares me, we talked about attack surface, uh, issues before. You know, when I think about thousands, millions of intelligent AI driven, you know, uh, attack simulation, you know, like they are, instead of just a really smart human, you know, pecking on the edge or, or a cadre or a cohort of people pecking at your network. Now you're talking about millions of intelligent drones all the time, hitting the edge of your network, always testing it. Hitting your users. And like, the only way I can see that as being defended against is, is with AI models of our own. Like the human, I just don't think the human mind is going to keep pace or ability to analyze things at a human pace. It has to go to machine speed.

So like at like a far future focus here and like probably not that far, a couple of years off, is, we're going to have to have a pretty big revolution and all of our security products. It's already happenin going to go way beyond that natural language processing, which when you look at like the AI buzz, it's like, we have put in a chat bot within our tool. And we're like, very cool. I've seen this. 

Most people are doing that and it's great. Right. But when you look at the explosion of like AI agents and AI agents talking to other AI agents in a cyber context, what you're truly talking about is fully automated sock. You're talking about fully automated vulnerability and patch management. And that's the only way that we can restrict, I would say, what these, uh, intelligent. AI driven bots are going to come at us with that scale in the future.

Evan: One of the things I worry about with AI is that, uh, you know, many things you said. The, the kind of speed and scale the attacks going up, the sophistication, right, uh, is going up and the ability for humans to like identify stuff is going down. The number of criminals that, that can now send the phishing attack, right, is going up. Right. Don't have to speak English anymore. Right. 

And also like these attacks are harder for humans to detect and the time required to detect is going, you know, down. And so that's a scary world. And also these technologies are growing, like, you know, super, you know, very fast. 

So, you know, in that world where, um, again, you know, you almost can't trust communications. We got deep fake voicemails, deep fake videos and real time zoom avatars. It sound just like, you know, your boss. What? What's like, what's the tell us about the positive? Like, tell us why the defenders win, right? Like what? What are the technology or the tools that they're using? Yeah. Yeah. You think the next generation security teams need in order to fight that.

And like, I, I I'm actually optimistic long term on this, but I'd be on the short term scary, but love to hear your view on like, what, what, what does the market really need? Or what is the vision that you think is going to help us, you know, End up in a positive state, not a negative one.

Michael: I get like a little geopolitical here. So part of me a little bit, but I look at the AI revolution was born right there in Silicon Valley, California.

Right. I mean, obviously there's a race going on between, you know, different people across the world and things like that. But like, this is the, for me. This is the nest of innovation for AI. And we need to make sure that as a country and as, um, as a business ecosystem, we continue to have the competitive edge and that the innovation edge, and I think that is like, that's going to rule it all.

And I think if we, if we fall behind in this, it's going to be the detriment, not just to our cyber defense. It's going to be the detriment to a lot of different things within business. Just in general. 

Evan: I mean, arguably our civilization, right? Like if you can't use technology, right, you can't use your credit card, your iPhone, right? So someone's got to give at some point we got to, you know, every chart for cybercrime, which is up into the right. And so that something's got to change there for us to, you know, be able to live our lives in the future. 

Michael: But we have to be an innovation centric culture, right? Like we have to be able to incentivize entrepreneurs to create that next best company to do it right.

We have to incentivize DFC to get out with our customers and deliver these solutions. Um, and I think that that is going to be the thing that's gonna take us over the edge because our innovative spirits always going to win out and our entrepreneurial spirit in America and worldwide, especially with AI, it's going to win out at the end of the day. So that, I mean, that's the thing that gets me optimistic. 

And then, you know, there is a part of this, which is really interesting. When you think about like business email compromise, you think about, Hey, you're going to get a random text message from someone to sign off on this. You're going to get a fraudulent docu sign through your email. Right. That perhaps wasn't detected. At some point, we also, in the meantime, have to go back to manual processes, right? So like, not everything has to be immediate. Right. And I think we need to like, really just be honest with ourselves. Like the pace of transactions, we have to keep up with business, but there's some things that just need to be validated when you said, like, if electronic communication can't be trusted or there's going to be a tipping point before it tips back, and we have the augmented capabilities to like actually like sign messages and put them back to the root source, you know, we may have to sign a PO with an approval process and do that. 

And I think that's really in the short term. Um, and that's a little bit still of a pessimistic view because none of us want to do that. But reminding people and educating people about the needed manual controls, particularly around fraud and abuse and things like that, is a really big deal. 

Cyber is not going to be The only thing that's going to protect it's going to be the collection of controls and business processes that really Slow that decision making down when it needs to be slowed down and validates it when it needs to be validated 

Mike: Yeah, I I think that's a good point.

I think the one, one question i'd ask you there is I think that's where social engineering is such a powerful factor because most organizations do have manual processes and, and that attacker is very clever on on pulling those triggers around social engineering to get people to do things they wouldn't normally under under You know, under normal circumstances wouldn't do.

How do you kind of combat that, that natural pull of, of social engineering? Did someone do the opposite? 

Michael: We have to educate our users, users, but we also have to be honest that those mistakes are going to happen. 

There are certain vectors. Email is one of them where we have to team with the most innovative company to prevent that from being delivered to the inbox because it's just, it's going to happen. Right. And we had mentioned it's getting super sophisticated. You know, you're seeing. Um, like I mentioned two seconds ago, like, you know, fraudulent docusigns coming up, like, you know, things that are like just really tough for the end user to spot and particularly in a large environment where people are just racing to try to, like, do what they need to do. They want to be productive. We're going to have issues there, right? 

So, from my perspective there, from social engineering, on the multi modal, right, or multi channel sort of stuff, like, we are educating constantly, and we're blocking where we absolutely need to. Like, I, you probably hear, heard from right now, I'm a business enabling CISO, Like we need to be with our customers.

It's like our number one goal is to develop a relationship with our customers, be there for them, just like you are for your customers. So I can't get in the way of that, but I do need to control that. So, um, we try to take it out of the human hands as much as possible, but we still rely on education. I wish I had a better answer for you.

Simulations, right? Stuff like that. 

Mike: I think it's still valid. I'm just curious too, like what needs to change about education? Cause I feel like. We all, we all do about the same thing education wise. And, you know, some people will talk about, you know, role based or just like kind of in your mind, what would you do differently if you could around education to make it more effective?

Michael: That's a tough one. I think that's one, Mike, we've been trying to answer in this industry for a really long time. 

I've done a few easy things. I think more testing is better. Less punitive is better, more rewards and incentive based is better. So we can use AI to test a broader swath of the environment. We can use AI to live in the attacker's kind of space and test them through different channels and things like that.

And then we can choose the opportunity to, you know, educate, but also incentivize. Like we, I do this thing where I, you know, if someone, you know, submits a phishing email or something like that, Right. I incentivize it. Right. I say, great job. Here's a gift card or you do whatever. Right. Let's have a conversation. Um, I do think we need to look differently about that, but in the end, like when we think about that's just like end user education. 

I look, I work in a technology company as you do. We're talking about administrator education as well. Like, how are you building systems at scale in a secure fashion? How are you figuring that out? We have to use AI for that. 

I told you about our ability to natural language process around policies to generate secure patterns, secure architectures, right? To just basically inform someone what their obligations are. We can use AI then to test that continuously, to hold people accountable, right? To re educate them in terms of what they're doing. Ultimately, AI will likely end up building those environments, but that's a little bit down the road. 

I think we're going to get to that inflection point where, from an end user standpoint, we're still going to double down. From a builder perspective, I think we're going to be in a great spot to kind of take it Out of their hands, or at least give them all the tools very clearly. Tell them what they need to do, because like, again, you know, 

You, you have this issue, like, and I would love to hear from you, Mike, like, how do you inform all your, you know, builders, your administrators, right. Your infrastructure people at scale, this is the way you need to do it. You know, we don't deviate because deviations right now, or in my opinion, a little bit of a thing in the past, we don't deviate, this is how you escalate. That's a very hard thing to do. It's very, very hard. And I want to look to AI to make that better. 

Evan: You made this comment about kind of manual processes, right? And like, I actually think that that concept is right. There's some things where it's like, okay, you know, Kelly signed off on the PO, but like, let's have someone just really inspect to make sure that was the right decision. I think that is the right concept. My argument would be that, like, I think that that kind of supervision inspection, if you think about what information and context, you know, the best inspector, Or kind of audit, you know, internal audit would have on that. 

I think that there's an AI version that can have more context. Right. And so like, I think that concept, but like the AI is like doing the double check, kind of sitting behind people saying, actually, Kelly, I know we got that email from Joe, but you know, something here is a little phishy, right? Why are we hiring this vendor in this country we don't do business in. Something is a little, you know, I, I think, I think that concept is right, but I think there's a way to do that. Um, that manual work in AI, where it's like a digital, a digital agent is kind of doing that with you. 

Michael: Well, it's happening now, right? I mean, like AI agents and agent bots are like doing that now, right? And then the interplay between those agents and bots is what's going to be very special because that Agent could be a cyber agent or something related to the email then goes to like a finance agent that like really does that job.

And I think, I mean, I think you all would know better than me, i think 2025 is really the year we're going to see that start to come out and like see that interplay between different functional elements, not just AI agents that are siloed within organizational components. And that, that I think is really exciting. I think I need to see it in practice.

You know, in the technology ecosystem before I get like super excited, but like, when we, when we talk about that, then you also think about like the role of the CISO, this is kind of like a CISO podcast, right? You know, what's my role, create a program, you know, uh, prioritize investments, you know, manage, you know, capability, increase, manage costs, identify cyber risk everywhere it is. Communicate cyber risk everywhere it is. 

You start to think like five years down the road, you know, a lot of us are going to that decision making within an AI model. Can, can do that as well to a certain degree. And it's going to augment us for a very long time, but it's going to be really interesting to just see where like leadership in general kind of, kind of goes across a lot of spaces as these things mature, you know, five, 10 years down the road.

So it's going to be a fun ride. 

Evan: Mike, we only have like five minutes left. Um, and so for the, for the, at the end of the, um, episode, we'd like to do a quick lightning round. So looking for your kind of like one tweet takes, right? So these, these questions are obviously impossibly answering like the one tweet, but looking for something, you know, kind of, kind of punchy for us to, to add in. 

So Mike, you want to kick it off for us? 

Mike: Yeah. So what, you know, someone stepping into their very first CISO job, what's one piece of advice that you would give them about that job?

Michael: Uh, stay humble because this business will humble you quick. You don't know everything, reach out, have a community, have mentors, reach out to them, have intellectual honesty about what you do know and what you don't know. Because it takes a village. 

Evan: You know, Mike, one thing that's unique about kind of your role is that, you know, you're working with, one, you work at a technology company, so you learn more about technology. You're also working with customers to help advance, you know, their technology, innovate, right? So you're kind of a little more naturally surrounded with like new tech and innovation than probably your average peer. So what would be your advice to, you know, the average CISO out there about how they stay up, how they kind of stay up to date and they're aware of some of the trends when it comes to AI?

Michael: You have 15 opportunities a week. To stay up with it breakfast, lunch, and dinner. Prioritize the involvement, prioritize partnership with the vendor ecosystem. Uh, prioritize the partnership with a community of CISOs doing the same thing. You know, so I mentioned that I said, mentioned, be humble. 

Um, you get so much out of understanding what other people are doing, but more importantly, where the innovation is going. So, uh, prioritize that collaboration.

I think one more, sorry. I knew I was going to be bad at this, but, um, don't use busyness as an excuse. We're all busy. It's all about time management. And one thing that needs to be in your time management is making sure that you understand what's coming around the corner.

Mike: So on the more personal side, what's a book you've read that had a big impact on you and why? 

Michael: So I have a lot of books here. Well, there's, there's a few, there's not too many, but, um, this one's gonna be kind of boring, just to be honest. Uh, but it has had the biggest impact, particularly in my cyber world.

Um, I've, I've had the pleasure of working with an amazing CIO for the last nine years, and very early on, she gave all of us the Speed of Trust by Covey. And it's a little bit of a dry read, but what it was really good at articulating for me is that we as cyberprofessionals have the ability to get to yes.

We can get to yes safely. Uh, we can be responsible about, about getting to yes, but we have to prioritize the alignment and the collaboration with everyone, our IT colleagues, with our business counterparts, really to build that trusted relationship, because trust is going to be the fuel for business, business growth.

And that's what we're all here for. 

Evan: What advice would you share to go inspire the next generation of security leaders? 

Michael: Just get after it. Right? So when you think about it, you know, you look at, we talked about my story earlier, right? I was this, you know, auditor, cyber consultant at EY was presented an opportunity to take a leap. And I took the leap. 

There are opportunities out there. You should be spending a lot of your day. Looking at the ecosystem. There's a lot of needs and make sure you're prioritizing yourself and your learning and your career path, right? And don't let things like imposter syndrome get in the way, you know, don't let a lack of confidence. Right. If you're investing in yourself, you're prioritizing yourself and your career journey, make sure you're ready to take the leap when the, you know, when the opportunity comes to you. 

Evan: I like that. Well, really appreciate you making time to chat. Um, great seeing you and looking forward to chatting again soon.

Michael: Yeah, absolutely. Thanks for having me on. I really appreciate it. Thanks for the opportunity to tell a little bit of story about myself and DXC.

Mike: That was Michael Baker, Chief Information Security Officer at DXC. I'm Mike Britton, the CIO &  CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the founder and CEO of Abnormal Security. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog

This show is produced by Josh Meer. See you next time. 

‍