AI Agents: The New Frontier of Enterprise Security

Clarke Rodgers:
I’m Clarke Rodgers, Director of Enterprise Strategy, and I’ll be your guide through a series of conversations with security leaders. Today’s guest is Mike Britton from Abnormal AI. Please join us as we discuss security leadership, security career paths, and agentic AI, and more.

Mike, thanks so much for joining me today.

Mike Britton:
Thanks. It's great to be here.

Clarke Rodgers:
Please introduce yourself and your role at Abnormal.

Mike Britton:
I am Mike Britton. I am the CIO of Abnormal. I've been there for four years and part of my job is running our internal IT program, security, customer trust, and anything else my boss asks me to do.

Clarke Rodgers:
So you've evolved to the CIO role from being a CISO. Can you tell me how that transition happened?

Mike Britton:
That's funny. Throughout my career, I've always been willing to take on new challenges. I've owned IT before at previous roles, previous life, and I got here at Abnormal when we were about 100-120 employees and we didn't really have an IT team. So it's something that I'm very comfortable. I'm very hands-on. I love technology, and so I just kind of evolved and as I've grown at Abnormal over the past four years as we were talking with my CEO, who's also my boss, just the conversation came about what's next, and we've got a lot of exciting challenges as we continue to grow, and I really thought it was a great opportunity to broaden and look at our technology transformation and how we're really evolving as a company.

Clarke Rodgers:
And then as CIO, you can now ensure that security is everyone's top priority throughout IT. Correct?

Mike Britton:
Yes. I often tell my teams because there's always that natural push-pull between IT and security, and it's always nice to be able to say, you guys all work for me. Get along.

Clarke Rodgers:
That's right.

Mike Britton:
I need my IT team to be security focused, and I need my security team to also have the internal customer in mind. So it's not about zero risk, it's about productivity, it's about achieving business objectives, and sometimes that means we can't have a perfect world.

Clarke Rodgers:
For sure.  In addition to your CIO role, you're also leading the AI focus at Abnormal. Can you talk a little bit about how that came onto your plate, for lack of a better word, and then how you're thinking about AI not only internally as a sort of business tool, but then maybe from an attacker perspective and how you're protecting the organization from AI?

Mike Britton:
Yeah, it's interesting because Abnormal's always been an AI company. We always like to joke we're AI before AI was cool. Evan and Sanjay are two founders. They started the company as abnormal AI. And I think the feedback they got from the market was, whoa, this is too new, too soon, too scary. So we're like, “Okay, let's go with Abnormal Security.” And now we're in the right time, the right place to go back to our original roots. So that's why we've rebranded to Abnormal AI.

And so we do so many great things from a product perspective for AI, and there's so much opportunity. You see it in some of the smaller startups that are just now starting. They're able to leverage AI on the development side. They're able to leverage it internally. We have to be able to be agile in our business. We have to be able to scale. I love the concept of every person at the organization needs to be the best AI enabled version of themselves. And so part of that is looking at new opportunities, looking how do we scale? It's not about replacing jobs. It's about how do I grow 10X over the next five years without hiring 10X more people?

Clarke Rodgers:
With the proliferation of AI tools that your business users are using, how do you think about the securitization of those and then prior to vending them out to those users, what kind of guardrails are you putting in place for this?

Mike Britton:
Yeah, first and foremost, I want my business to come to me. I want them to come to me at the idea state. I want them to come to me with, “Hey, we're looking to solve this problem.” It's so easy today for them to put in an email address, not even have to put in a credit card and off to the races they go. And so as security, as IT, I can't take the head in the sand approach of, “We're going to block it all, stop it all.”

Clarke Rodgers:
Right.

Mike Britton:
I need to usher them to come work with me to help them try things quickly, to fail fast, to see what works, what doesn't work, and help them also articulate the return on investment. It's not only the cost, but it's the speed to implementation, the real-world effects of how using that tool can help us out. And then honestly, we're in this weird age of 8,000 versions of everything out there on the marketplace and new things coming up every day. And as much as I'd love to have five versions of the same thing, we do want to rationalize tools and technology and helping usher people into the right solution.

Clarke Rodgers:
So how have you built the security culture at Abnormal to facilitate just that. You want to protect the organization, but then you also want to allow people to move quickly and innovate. So how have you found that balance so that you're not viewed as the department of no, but you're also implementing sensible security rules?

Mike Britton:
Yeah, it's a balance. We don't live in a black-and-white world. It's always operating in shades of gray. Any organization, whether you're a tech company like I am or brick-and-mortar, you have to take certain business risks to be successful. It's all about navigating and engaging those risks. I've often looked for opportunities to show that security can also be a business enabler, whether that's moving to passwordless or being there at the early stages to guide and navigate through the right steps. I'm not wanting to say no. My team, I'm very much push back when it's a no first attitude. It's more of a consultant. It's almost like I'm the advisor to the organization, advisor to the product, advisor to the business to help them navigate, to make the right decisions and move as fast and take as much risk as the organization can tolerate and just move quickly.

Clarke Rodgers:
So under the lens of security as a business enabler, how do you report or demonstrate the health and effectiveness of your security program sort of up and out to make sure that your business leader peers understand where everything is and how you are enabling them? The C-suite, the board, whatever comes into play, how do you report that health and effectiveness?

Mike Britton:
It's obvious things like, hey, we haven't had a major incident, major breach. It's about speed of mean time to detect. Mean time to remediate. I also don't like vanity metrics. I feel like security is full of a lot of vanity metrics that don't really tell you about the health or the risk of the organization, but they look nice on a dashboard.

Clarke Rodgers:
Phishing clicks.

Mike Britton:
Yeah, phishing clicks. I mean, I can tweak those and manipulate those up or down depending on the day of the week, but they don't really tell me anything about the organization. They don't really tell me what's the real risk, what's the threat landscape, what's the attack footprint of the organization? Honestly, it comes down to a lot of stories. I've always felt with boards and with C-Suite, it's telling stories, it's giving them a data point and then explaining the why behind it. As much as I'd love them to understand by just looking at a spreadsheet or a PowerPoint, it's much more than that. And really, as the security and technology leader, you have to be a good storyteller. I have to be a salesperson to a degree on selling the value of my program to my internal stakeholders.

Clarke Rodgers:
And how exactly do you do that? Is it a dollars and cents conversation? Is it a risk conversation? Or does your leadership want the deep down security metrics when you're telling that story?

Mike Britton:
It's a little bit of all of the above. Obviously it's about risk reduction. It's about pointing out the gnarly attacks we stop. It's about the things that we avoid, but it's also productivity gains. It's the ability to say, I'm not wasting valuable headcount on things that can be automated. I'm not creating additional productivity loss from employees by making them walk through additional hurdles and steps. It's productivity of the employees, productivity of my team, and risk reduction all rolled up into a nice package.

Clarke Rodgers:
And then if we go back to sort of the IT side, and of course you're in an advantageous position now because you're CIO and responsible for security as being the CISO, how do you make security important to that developer? So traditionally we've had the developers is pushing code through the different layers to get to production and maybe hit a quote-unquote security roadblock. It's like, “Oh, I have some findings now I got to go fix this.” How do you change that mindset from “security is stopping me” versus “I have room for improvement to build more securely”?

Mike Britton:
We're a security company, so it'd be great if every single developer, every single engineer came from a security background or worked at a security company. The reality of it is they don't. And so part of it is also helping them understand where the customer sits, what's the concerns of the customer. The customer is concerned about their data. The customer is concerned about how I'm protecting my infrastructure and helping them understand that the reason you have a job is because there is a customer out there that buys our product. And so it's this relationship of I have to earn and maintain the customer's trust. Trust is, whether it's customer trust or just trust in general, it's often hard to establish, hard to earn, but it's so easily lost and we can't afford that.

And the more you kind of help them understand this is what the customer sees, it also helps them understand what's at stake. It's not just me being arbitrary and saying, “You can't do this, you have to do that.”. I often try to articulate actual examples from customers, customers that have said, "Hey, I'm concerned on this." As forward leaning we are on AI and as bullish as we are, not every organization is that way. There are companies out there that are a little more conservative in their risk profile, and AI is a scary thing, and we have to understand that and adjust to that.

Clarke Rodgers:
So I love that. So you're basically taking the blinders off the developer and having them understand the bigger picture there. For both your sort of developer community and your security community, how are you helping them grow in their roles? And then of course, the retention within the organization. It's very normal these days to see people jump ship every couple of years, but you lose a lot of institutional knowledge and cultural growth within your organization when those people leave. So what are you doing to sort of give them a career path forward and then actually retain them?

Mike Britton:
Honestly, I think it starts at the hiring process. I've always been willing to look at different profiles. I want someone that is intellectually curious. I want someone that's a tinkerer. I want someone that's going to want to learn and grow. If I look at what I had to know early on in my career versus today, everything I knew early on in my career is obsolete today. It doesn't matter. And probably everything I know today may be obsolete five years from now.

And so you have to have employees that want to learn and grow and have some natural inclination. It's two sides to the coin there. There's the resources and the opportunities I have to present, but you also have to be wanting to and willing to take that opportunity. So I think if you start with that premise and you find people that are going to adjust and are going to be hungry and are going to want to learn, that part's the easy part. I think the challenge often, and this is where I'm a big believer in AI and automation, is you have to take the boring, mundane, routine things off their plate. If someone has meaningful work, if they come to work every day and they can see the impact of their day, they can see the impact they're having on the organization, they're going to stay with you for a long time, especially if you're helping them grow and learn along the way. And I feel like that's the best way to retain people.

When I started here, it was me on day one. I've built up a nice-sized team on IT and security. And to date, I've only lost two people out of about 75 that went to do something else.

Clarke Rodgers:
So something's working. Right?

Mike Britton:
Something's working.

Clarke Rodgers:
So I want to dive into AI and automation in just a moment, but one thing you said stuck with me, curiosity. Can you talk a little bit more about why that's so important?

Mike Britton:
We're very blessed in that we live in an information world, so there's no shortage of YouTube channels, x-feeds, information, it's all at your fingertips. So it's once again, having that desire to go out and dig and find the information and spend time in it. It doesn't do me any good if I don't actually ingest it and figure it out. And then I'm still a big believer of put your hands on it, play with it. How can you understand agentic AI if you're not willing to mess with it yourself?

The word “hacker” has a bad connotation, and unfortunately, there's a lot of threat actors out there that give that term a bad name. And really, if you think back to it when I was younger and others, it's just that I want to learn how something works. I take it apart and try to make it to do something that it's not supposed to. It's that curiosity of understanding how things work. We need more of that hacker mentality in security. I feel like a lot of times security has become compliance driven, checkbox driven. It's all about managing risk, which is important, but you also have to have that curiosity. You have to have that desire to go figure out how things work, figure out how things shouldn't work, and be willing to get your hands on it.

Clarke Rodgers:
So as a leader, how do you stay current, right? The security environment is changing seemingly daily, and then the technology environments maybe twice as fast. How do you keep current and up-to-date so that you can communicate the risk effectively to your peers within the organization?

I know several CISOs who carve out time in their calendar every day. Maybe it's an hour at the beginning of the day or at the end of the day. Do you do something similar or is it just as something comes into your mind you go research it?

Mike Britton:
I do have two days a month that are kind of carved out. They're my no meeting days. That doesn't mean no meetings occur, but instead of 15 meetings, I may have three or four. I use those times deliberately. You have to plan and make time. It's just not going to organically show up. Unfortunately, I spend a lot of time late at night scrolling through Twitter and other resources like that as well, just to stay on top of it.

Clarke Rodgers:
I love it. So automation, AI, how are you thinking about it from a security operations perspective within your organization?

Mike Britton:
I think AI has the capability and the ability to disrupt security. If you think about it, attackers are using AI today. Are they using AI solely? No. Are they using it as their primary vehicle? Probably not, but they're using it. It's back to the AI tools that we talked about earlier. There's probably a hundred different AI marketing tools to help you write effective emails to land in inboxes of potential customers and to get them to engage. It's consumerized, it's easy. It doesn't take a genius to use it. Well, attackers can do the same thing. And if attackers can leverage AI to be much more effective at their craft and they're now moving at the speed of machines, I'm going to lose that battle if I'm still moving at human speed.

Clarke Rodgers:
For sure.

Mike Britton:
And so my defense is, my program need to operate, need to make decisions, need to understand context and analyze the situation at the same speed of the attacker.

Clarke Rodgers:
So what are your thoughts on agentic AI? Where it's going? We have model context protocols, we have A to A, where do you see all this coming to a head?

Mike Britton:
Yeah, it's all about data. I'm only as good as the large language model that's feeding it. MCP, A2A, those type of protocols out there, I think they open the door for... We look at ChatGPT, look at Claude, you look at Gemini, they're great agentic AI tools. They're great for asking questions and solving it. But now if I want to hook up other tools, other agents to that same set of data, I have concerns around authorization. I have concerns about data spillage. Is it going to respect access boundaries? There's all sorts of concerns in this world where I'm now hooking different things together and expecting them to go off and do their own thing. And how am I monitoring that? I was talking to a CISO the other day, and one of their concerns is, everybody's using agentic AI today. How do I know when a vendor I use all of a sudden is turning on AI agents in my environment? Where's the visibility? How do I respond to that?

Clarke Rodgers:
And actually, it goes back to a very old problem that we've been working on for years, is who is doing what when? Right? And it's just now that what is a... It's a non-human actor within your organization.

Mike Britton:
And it brings new challenges. I mean, when agents are talking to agents, your humans are out of the loop at that point. How are you going to secure that? How are you going to protect against a world where there's rogue AI agents in your environment? But part of that's why I love security. Part of that's why I've been doing security for nearly three decades at this point.

Clarke Rodgers:
It's never boring.

Mike Britton:
I love the challenge. Most people, when you get 30 years into a career, you're thinking retirement. You're thinking, okay, I want to be coasting. And one of the things that's just kept me in this industry so long is I love the fact that every day is a new day. There's going to be new challenges, something to keep my mind sharp, something to challenge me and cause me to grow. And I love it.

Clarke Rodgers:
Well, on that note, and I don't mean to put you in a difficult spot with predictions, but where do you think this is all going in the next 18 to 24 months? Is there a particular set of technologies, either security focused or non-security focused where all this is coming to a head?

Mike Britton:
I think part of this is trying to guess and wishful thinking at the same time. Obviously the marketing hype is AI. Everybody's an AI vendor at this point, and there's a lot of noise. That's the hard part about being a buyer of technology is how do you separate fact versus fiction? How do you separate real AI versus bolt-on? Everybody can slap a ChatGPT like interface on top of their solution. Is that really AI? Is that really providing value? And so I hope over the next 18 months or so, there's some clarity in the market. There will be winners and losers like there always are for disruptive moments like this. If you look at how long it took us to do digital transformation and cloud, it took forever.

Clarke Rodgers:
And it's still going on.

Mike Britton:
And it's still going on. The pace of AI adoption is so much faster. So I do think there will be some natural winners and losers out of that. I would say too, it's just an exciting time. I don't think AI... Actually, I firmly believe AI is not going to replace jobs, but I do believe, and I'm not the first to say this, but I do believe that it's going to come down to not AI replacing humans, but humans replacing humans with humans that know how to use AI. And so part of that's just-

Clarke Rodgers:
Well said.

Mike Britton:
... changing the hiring profile too. I don't care what you did five years ago. I care to know what you're doing now. What are you exploring? What agents are you building? Are you using AI development tools? That's what I'm interested in because-

Clarke Rodgers:
Are you curious?

Mike Britton:
Yeah. Are you curious?

Clarke Rodgers:
As you think about your own career and how you advance the ladder, what kind of advice would you give to that aspiring CIO or CISO in today's climate?

Mike Britton:
I would say learn your business. Understand how your business makes money. Understand how all of the various pieces fit together. Don't go in just automatically assuming you know the solution to the problem. Build relationships, build those relationships proactively and put credits in the bank before you start telling them exactly where the risk is or how they should do things.

Clarke Rodgers:
And I would imagine there's a level of speaking that language of business as well.

Mike Britton:
I feel like oftentimes security leaders are propeller heads. They love to talk tech, they love to throw out three-letter acronyms. Speak the language of the business, speak how your CFO understands, speak how your sales leader speaks, understand what keeps them up at night, understand what their objectives are and what they need to do for the business.

Clarke Rodgers:
So aligning with their incentives and motivations.

Mike Britton:
Absolutely. And it's your job to kind of persuade and get them to think through those things. But at the end of the day, they're there for a particular role. They're there to achieve a particular objective.

Clarke Rodgers:
I love it. So in closing, Mike, what are some final words you'd like to leave your fellow CISOs with?

Mike Britton:
It's easy. And this is the challenge. It's easy to try to be Luddites and try to block advancement and say, no, this isn't going to happen. I'd say lean into it. Embrace it. Look at the younger vendors, look at the disruptive ones. Look at the ones that are really using AI to disrupt and to solve problems. Don't be afraid of technology. It's exciting times to me.

Clarke Rodgers:
Well said. Mike, thanks so much for joining me today.

Mike Britton:
Well, thanks for having me. It was a pleasure.

Listen now

Listen now

Listen now