 We're here with Mark Hughes, the President of Security at DXC Technology. Welcome to the show, Mark. Thank you very much indeed, Rob. It's wonderful to be here with you today. Can you give us a quick overview of your role at DXC? Yes, so I run the security business here at DXC. DXC is a large global IT services provider, about 140,000 people strong. And as I said already, we operate globally. So we see things right across the globe. I run one of six businesses within DXC and that is the security business. And so I provide and have a team of over three and a half thousand people who are responsible for writing security services to our clients globally right across the board and right across all sectors as well. So that's what I get up to from day to day. I think critically important because I think what people are trying to always understand is the landscape for security is always changing so much day to day. Almost it feels like especially with what's going on. What are the most significant challenges and trends that your company is observing specifically as it relates to cybersecurity and really data protection domains? Well, actually, Rob, I'm going to start with a more general set of statements about what I see in our clients because it really relates so strongly to security as well. And the first one is just the overwhelming complexity that I see most organizations really challenged by. And what I mean by that is that they are every large multinational or even smaller organization is going through some form of transformation, digital transformation at the moment. Whether that's moving one in workloads from what used to be sort of mainframe environments into the cloud or more sophisticated analytics tools or the new applications that we see in implementing those. All of that complexity that has been created where often there's a lot of legacy still in place as well. And I'm sure many watching this will understand what I'm saying by that means that you have this much, much greater complexity. And in my world when it comes to security, that's all about increasing attack surface that is now available to threat actors to be able to then look to work out how they potentially get off to attacking organizations. So there's complexity. There's also increased demands often in terms of cost and becoming more cost efficient in terms of how organizations need to operate. So cost of service under pressure. So take that complexity coupled with the fact of then needing to secure all of that in a cost sensitive environment. Challenge as you can see gets even greater. And then on top of that layer in the fact that we're often in a situation where there's a real tight squeeze on skills and where in security we have this huge skills deficit many millions of security practitioners that we just don't have globally and against that new and emerging threats, ever increasing complexity, cost sensitivity you then really arrive at this place which is really quite tricky given also the fact that many organizations perhaps don't work in a way in which they're working together as much as they could. And what I mean by that is the supply chain as well. So you add all of those things together where you then have that deep supply chain ever increasing deep supply chain where perhaps in some organizations there isn't the integration between that organizations that are procuring those services and the understanding of the need to ensure that that control framework from a security point of view is flowed through that supply chain. You add all of those together and as I said earlier that's not necessarily a security specific thing but boy does it make it hard and increasingly hard to really understand the risk in that complexity and then apply the proportionate set of controls that manages the risk and the information they need to protect the information within that environment in the proportionate and right way on behalf of the customers that that organization is serving. So that's really what I'm observing and therefore the security challenge that comes with that is in some cases quite overwhelming for some organizations. Yeah I would say that again as you said that as the landscape expands what we see is that the domains and there become kind of silos of automation you have you know cloud native apps that are connected back to those as I would say not necessarily legacy but heritage apps that maybe contain certain pieces of data that are trying to get out to those customers. So it must really change the strategies that you have to bring because those emerging threats are always evolving. What strategies do you employ to ensure that your clients are well protected because it's an ever we're always playing catch up or get ahead or what have you with those threat actors. Yeah so really a couple of things Rob which is a great question. So the first thing is that let's not forget that when we look at most of the stuff that's going on and the way in which most organizations are being targeted where they are becoming victims of these the types of threat access we're seeing is often there is often a degree of simplicity in terms of how threat actors are able to penetrate gain access obviously initial that initial foothold and then often traverse around an organization move laterally without detection. So I'm going to start by saying that the first thing that I when I talk to organizations are that the the one theme that I see often is that there is often a set of security tooling available in the organization but is it comprehensively applied. Is it applied across the organization and implemented in such a way that when and if I'm afraid of threat actor does manage to get a foothold in that organization can they detect that and if they can detect it can it be detected in a timely way and very often where organizations fail and then become victim to these types of attacks is because the toolset that they might have might be modern and great but it's just not deployed as comprehensively as it needs to be I doesn't cover the entirety of that attack service that we were talking about before. So the very first thing that I will talk to organizations about is look where are those key controls and they're often not many of them they're really big things that if you need to get those right and if you don't have those right then things are going to be very challenging to get everything right put it that way. So where are those basic things that need to be done and need to be done comprehensively well often a lot of that is around access and things like multifactor authentication and having comprehensive a bit of comprehensive detection in place so running an EDR tool for example as well as then having the right backup and resiliency in place that if you do fall victim that you know that you can recover you know those few things so critical getting those right and they don't have to be the absolute most fantastic tool ever and the most modern tool but just having that having that deployed comprehensively and then being able to operate that across the entirety of that that estate that we talked about that IT estate is really foundational and that's the thing that I will often talk to customers first and foremost about which is sometimes a bit surprising to them because you know a lot of us in the security space are quite keen on the latest tool and of course that is very necessary when we look at the changing nature of the threat but when we really get down to it a lot of the things that threat actors are doing are still exploiting known vulnerabilities known weaknesses which have often existed for quite a while in some cases years and so that's the starting point that I want to use how can an organization really get to the point where they can get a commensurate step change in their ability to manage risk in a positive way for their organization without necessarily having to invest and do loads of all stuff just get what you've got and make sure the coverage is good and also that the stuff that is out there you're really paying attention to and therefore being able to detect when there might be something going on now of course beyond that Rob there's a whole load of other things a whole slew of other products and services which companies are interested in but that's really the starting point of the approach practical security to generate net positive risk reduction in an organization I think that's key because it is people, processes and technology not just one of the three if you don't have all of them working together you really don't have comprehensive coverage and in fact I think you hit on a couple of the key topics which is that customers really are struggling out there to understand their cyber security and their cyber resilience and to really be prepared for that how do you start those discussions because it's really a sensitive topic and bad actors tend to be in like you said sometimes the holes are exposed and they've been there for years and bad actors have been in there for a year how do you start those conversations more in general to help organizations understand that they may actually already be compromised from a cyber security or cyber resilience perspective so I think the first thing is to understand your risk so there's that starting point of as you just said Rob many organizations may well be, they may already be subject to bad actor activity in their organization so where actually are the things that they really have to pay extra attention to the crown jewels as we often refer to it within an organization so where's that specific data, what's the lifeblood of their organization and you know that is from a security standpoint of you is really necessary to understand therefore how you actually put a comprehensive control control set in place to protect the organization that you're responsible for and of course that can vary quite differently you know financial services organization is going to be very very focused on obviously making sure that data is absolutely you know is not made available to bad actors in any way shape or form and is only made available to customers as and when they need to to get access to and conduct transactions and everything else and in another case another organization may be in a more extractive industry for example making sure that the actual operation continue to work is really paramount for them so not to say that either data on one hand or availabilities we often refer to another isn't they're not the fact that they're not both important they are important it's just an understanding where on the spectrum of relative importance that is that's really foundational so then that allows an organization to hone in on actually what are those applications that support those processes and contain that data for example where you can really say look throughout the organization these are things that I really really need to focus on and really need to make sure that are absolutely covered from a controls point of view so being able to start looking at that risk and understanding where relatively the risk is I find the good news is for many organizations it's quite a revelation because where they get to is they go actually this is this is manageable yeah this isn't just I don't have to eat the entire thing at once I can just get after those bite sizes and say look as long as I concentrate on that then I can have a really disproportionate impact on my overall risk by managing it being able to manage it really effectively and then of course it's about having the right controls in place around that to be able to do that now I just come back to the fact that doesn't mean you have to do anything everywhere else you have to have the right basics in place but really concentrating on those things that if you know that it goes wrong then then you can have that coverage and understanding that if something is going on you can respond to it quickly is a big a big leg up for many organizations so that's one beginning approach the other thing I often will say working with organizations is start with often the end in mind and I'm afraid the end is all too obvious now and very relevant for many organizations because there's sadly a lot of data out there where organizations fall victim to the type of threat actor activity that we see so start with what would an instant actually look like in your organization what if those so called crown jewels were compromised in some way what if there was an availability problem how would you respond how would you back up how would you organize your response and have you thought about how you've worked not just with each other in your business but also with your suppliers who support your IT supply chain as well to really be able to come together to how you could actually you would respond and recover in the event of it actually being you often say that the ability to understand how you respond and recover can make up for a multitude of deficiency at the front end or at least gives you the ability to have a bit of headroom to really address things at the front end knowing that you have a very robust plan to deal with how it might pan out if something does get wrong I was going to say you brought up the whole EDR or XDR and the R part of that the response is really key to how people understand and how fast they can get their minimally viable company back up and running and I think part of it is that you know customers don't necessarily always run tabletop exercises as often as they should per se are you seeing any differences across the world as you travel around and have you seen that you know certain countries or certain geos are in a better position than others yeah I think that's so I think there's a couple of things that come into play there's regulation and some regulators often driven through the relevant financial regulatory authority in a particular jurisdiction will drive ever more necessity for preparedness and so you see that in some of the well known jurisdictions that have those big regulators UK, US, Singapore Australia, others where there's a lot of regulation now obviously the EU as well where you're focusing and so the trickle down effect of that is significant no two ways about it that is certainly helping and as I say often that is quite financially services driven to start with but then pans out across other sectors certainly due to the interconnectivity of the financial services sector but more because often that's seen as a benchmark so that's one thing in certain jurisdictions that you see more of that being driven than others I think the other thing is just why there are big high profile incidents so a lot of organizations get quite concerned and understandably if there's a big high profile incident I've seen some stuff for example in Australia recently where there's been a string of incidents and you see organizations really thinking hard them or what would that look like if that happened here I'm afraid sadly there are enough examples that we see day in day out but specifically in some geographies where there's some really high profile incidents we saw for example the effect of the colonial pipeline incident in the U.S. and how that has really changed some thinking in terms of not just regulation but how companies are thinking more about where and how they might be vulnerable so a whole host of different events Rob that I see across the globe that really drive different types of behaviors but also then that then takes people into thinking well what is it back to what I was saying about that response piece and why really make sure that I'm well prepared for it and that I have the right ability to be able to communicate often to the regulatory authorities as well because that is an ever changing situation that people have to be very familiar with but also most importantly within their own organization how are they going to mobilize their own response so that's what's happening. Yeah I was going to say that to me leads me kind of to how do you help those organizations how specifically are you acting as another arm to them you're bringing specific skill sets how do you go about specifically helping those customers. Rob first and foremost it is about we are part by the nature of what we do we're one of the largest IT services provider that we're right in the middle of those organizations IT estates that's what we do for a living so therefore being very close to understanding what part we play in their ecosystem and then leaning very far forward in a situation where there isn't a crisis where we can then say look how would this play out and how would it play out I talk very regularly to a lot of our customers and I really see it almost as my duty I have the ability to be able to gratefully receive their business to be able to run their IT but equally that means that when we do that we have to be very close so that they can understand what part I play and we as DXC play in their IT ecosystem so that we can do that so that's one thing about really helping them understand what part we play what infrastructure we run for them and then how we can really come together to understand what those parts are before we're in a crisis situation but clearly sadly many organizations fall victim to the type of threat act activity that we see and that is also about when something does go wrong that we are then right in pole position to help in the best way that we can and what I observe very very comprehensively across the globe across our customers is because we provide these types of services to so many different multinational corporate organizations we get a lot of insight to what is going on across the globe and we see a lot of incidents and really that those incidents that we and that insight that we bring from managing incidents in a number of different jurisdictions and in many different companies is extremely helpful to many organizations who luckily might only see this once in a very infrequently one would hope we by the natural fact that we serve so many customers see this quite frequently so that insight about how you respond, how you communicate what you say to whom, who you need to have involved, what role we need to play in helping them recover because obviously that's always different depending upon the services is extremely helpful and that's how we lean forward both pre and during and obviously post if there is to sadly an incident I think that all makes a lot of sense and I think again from your perspective and where your company is sitting it must see a lot of that and I think one of the things that we're always curious about across the world is the prevalence of Gen AI and how it's really has it become a really forced multiplier or increasing threats or is it really being used as a deterrence for that I mean both sides for good and for bad what is your point of view on the impact of Gen AI and security and cyber resilience well at first and foremost we see already threat actors using Gen AI AI you've seen some of the let's just take it at the most basic level some of the phishing emails that used to be not well put together now all of a sudden is a lot better so we can see the direct application of where Gen AI is being used by threat actors I mean simplifying that a bit there's obviously many different ways in which I think we're going to see threat actors using Gen AI as well and of course we're in that situation which is not new to security that there's always that seesaw of innovation and where the advantage lies and so to me the of course we've seen as I just said threat actors using it on that seesaw but it's really how do we practically take that and use that in our defensive posture to really give ourselves that advantage to swing that seesaw if you want to tilt that seesaw in our favour as defenders so you know what I'm already seeing now is some fantastic application and we in DXC are already adopting some of the early now early now tools that we're seeing emerging one in particular we've just we're right in the middle of implementing at the moment and I can tell you I'm unbelievably excited about what that is doing you've probably already got that Rob that I'm very practical in how we approach security and let me just give you some insight into the fact that if I look at something as mundane as writing writing use cases in our scene tooling that we use comprehensively we've now just generally put a tool in place a general tool that will take that what used to take you know a matter of hours even sometimes days to get these use cases right and we've been able to take that down to a matter of minutes and most importantly not just be able to author the use case in a matter of minutes but then to be able to respond in real time where we can then actually then refine that use case to as we can see something going on to then could conduct threat hunting in a different way from how we've done it before it is transforming revolutionizing the way we go about running our socks and that's just at the starting point already we're seeing that happening so that is really going to help that innovation because as we all know in security the one thing that we are always up against is how can we gain time because that's the thing that we need more than anything we spot something that's going on how do we get ahead of that and another example where we're using it pretty comprehensively already is you know I just mentioned phishing emails for example so you know reverse engineering the scripts that we find in those phishing emails when someone if they do click clicks on them that used to be a fairly heavy lifting and a piece of work we'd have to do in the past now we can do that with some of the gen i tooling that we're already implementing very rapidly and so you can reverse engineer that quickly that gives you such a head start in terms of how you then approach what might be going on in your environment so just a couple of examples Rob already we're seeing the benefit so I think the benefit for us as defenders is I'm really excited about yeah no I think it is and I think one of the things is that you know when things do go bump in the night though you know data protection is really at the core of most people's strategy for how they're going to recover what are some of the recommendations that you're you're seeing because I think again it's been around but I think that taking a new approach to cyber resilience and really looking at how you approach data protection has to be more comprehensive as part of a cyber security strategy what are you seeing and what are the recommendations you're giving to your customers that massively great question Rob we sort of forget a little bit in the world of everything being around somewhere that it is information at the end of the day that matters right and the data you know within our systems and applications and that distributed supply chains that we have that's what really matters and that's at the end of the day when you're in a situation where services being lost how do you recover that data you know often the infrastructure elements of it can be hard to recover quickly but once you can get that going that's pretty straightforward but if the data really has been lost that is real trouble because that's the sort of lifeblood of any organization so first things first is making sure that organizations have to completely relook at their storage and you know that is something which for many years has been something that no one's really have to pay much attention to but clearly now in the type of environment that we're operating in where organizations are operating their services we have to much much more focused on that and that is about making sure that that storage is genuinely you can recover from it and it's not just about running the sort of the traditional backup type of approach this is a very different situation it's all about understanding that that data has to be available in now what are maliciously driven events and that's very different from how we've considered it in the past and that requires a different set of solutions to make yourself truly resilient so you know you've got your data when you need it to be able to run that business so the sort of things I talk to our customers about is well number one how is that data actually being stored is it immutable is it is it really in a situation where it can be it can be recoverable when and when and that is absolutely necessary so that sounds fairly straightforward still tricky to get right and often marks a very big step change from how organizations are running at the moment so how do they vault their data and have that really in a place where they can get at it when they really need it which can be quite extreme circumstances but and this is the big but which I talk to our customers about a lot which is you can have that all set up and that's great but if the things around that that allow you to use that and be able to back up to it and create the copies that you need of the data and then retrieve that so namely the access if that is not correctly architected and thought through and all the things that go around that around your identity and your approach to it and how you authenticate into those environments and how you run your active directory for example where those trust relationships exist that I'm afraid that can be quickly undermined that great solution that you may have put in place if you haven't thought through around the architecture around all of that prior to or in conjunction with then embarking on a project to really revamp the entire storage and really move to a much more resilient form of storage that organizations need to get to that data when they really need it so it's again technology is pretty key but it's about people and process as well and often physical requirements as well let's not forget often the storage arrays and the actual physical assets are in a location they also need to be thought about as well so people process some physical as well as the technology and the technology that sits around those cyber vaults that we have now in place to ensure that organizations can get that data when they really need it when they are as I say under attack so a number of different considerations their role which if you don't have the process and the other pieces of technical architecture right around it it does undermine the value of embarking on a project to really look carefully now at the whole storage approach to make your ability to get to your data much more resilient Thank you Mark I think that was super insightful and I think that a lot of people watching will get a lot out of that because I think just understanding the approaches is really key so thank you very much for coming on board with us today Not at all and you know let me say it's been a great opportunity and always happy to come back and talk more about it or to take questions whenever anyone might have them as well Great thank you very much for coming along live in studio and on demand from our Palo Alto studios you're watching navigating the road to cyber resilience a summit bringing together practitioners, cyber experts, analysts technologists to explore cyber security and data protection Keep it right here