Splunk’s move into agentic AI for observability and security operations has surfaced a central question for CISOs: Will these capabilities reduce operational strain, or create new forms of complexity? At Splunk’s recent .conf25 in Boston, Frontier Enterprise spoke with Michael Fanning, Splunk’s CISO, who explained why the shift could be transformative and destabilising in equal measure.
Why did you move from Oracle to Splunk?
My roles at Symantec, Microsoft, and Oracle were mostly centred on detection and response and incident response. When I joined Oracle, I was hired to run detection and response and to build out detection and response for Oracle Cloud. We were Splunk customers at OCI, and when the opportunity at Splunk came up, it felt like a particularly good match. My background has always been in detection and response, so moving into a company that builds the tools I had been relying on throughout my career made sense to me.
How is security shifting from a reactive to a proactive approach?
From a product development perspective, you hear the concept of shifting left and shifting right, and preventing the creation of vulnerabilities that could end up in a product. The question is how far left you can push to avoid a situation where a vulnerability is discovered in something already deployed or in something about to be released, forcing teams to slow a launch.
Investing in secure-by-design concepts, often referred to as guardrails, and embedding these controls into development and deployment processes is super helpful. Incidents will always occur. Response will always be necessary, and how you respond becomes a signal to customers about how seriously you take security and how transparent you are during an incident.
This is one of the broader shifts we are seeing. Several years ago, many tech companies wanted to keep incidents quiet and avoid speaking with customers about them. Now, transparency with customers has become integral to maintaining trust.
How will Splunk’s agentic AI capabilities change the CISO’s role?
A couple of different ways. One is AI for security. How can we adopt AI within our organisation to become more efficient and improve the quality of our work? SOCs will be able to adopt agentic workflows to detect and respond more quickly.
The other side is security for AI. We also have the responsibility to make sure that the AI capabilities you heard about align with the secure-by-design principles I described earlier. We want to release AI capabilities that we can trust, that we know are secure, and that customers can be confident in. We think about both aspects. It’s interesting from a security perspective to be adopting the technology while also ensuring that it is designed securely.
Will agentic AI ease the challenges CISOs face?
Yes and no. They will help in some areas, but they will also create new challenges.
AI will help us scale. Historically, organisations scaled with people, and then functions such as DevOps, DevSecOps, and site reliability engineering emerged to automate parts of the work. We’ve been strong advocates of automating as much as we can in security, through both our own automation and through the use of a SOAR platform. We rely heavily on SOAR, and it has helped us scale.
AI accelerates automation and lowers the barrier to entry for building automation. You might need fewer Python engineers because AI can help create automation without requiring deep coding expertise. Where things become harder is the broader threat landscape created by integrating the various tools that come with AI. We are seeing technologies such as MCP, the model context protocol, RAG, LLMs, and MCP clients.
All of these create a wider threat landscape than what we have dealt with before. These technologies are being adopted not only within security teams but across entire companies, and they introduce new risks. We need to determine how to defend against them and develop governance and policies. Organisations want to adopt technology quickly, but it has to be done safely. Balancing innovation and safety is one of the bigger challenges.
One of the unusual things about AI is that it can be socially engineered. It’s kind of a cool thing to think about, but also a scary one.
What challenges remain in how CISOs communicate with boards and executive teams?
Let me give you a bit more context on my role. Before the acquisition, I was deputy CISO, and our CISO and I met with our board of directors once a quarter. We had a dedicated hour to discuss security-related topics. We were at an advantage because we were a security organisation inside a security company, so there was existing expertise on the board.
The challenge, ultimately, is that you’re working with human beings, and you need to understand the information they require to assess whether you’re doing your job effectively. We had good dialogue with our board and were transparent about what they wanted to see and what they wanted handled differently.
The larger disconnect, generally, whether with a board or an executive leadership team, is figuring out how to discuss very technical problems at an altitude that resonates with executives. If I talk about MCP servers and tools with a CFO, that will not resonate. What will resonate is the impact: is there financial risk, reputational risk? Understanding what resonates with key stakeholders is the broader challenge, regardless of whether the topic is cybersecurity.
When you work in a technical role, you’re used to the details. Most people in these roles come from very technical paths. Eventually, you need to learn how to communicate the message and the necessary technical details, but not necessarily at the depth you would use in a conversation with an engineer.
What does it mean for the SOC to become agentic?
AI creates opportunities to automate highly manual tasks. The SOC has historically had many manual tasks. If an alert fires, such as malware on a workstation, a SOC analyst typically examines what the user did before and after the event. If there is more activity, the analyst works through further manual checks. SOAR has helped close some of those gaps by identifying where automation is possible.
This is possible because the job is rooted in following prescriptive runbooks or playbooks based on the alert type. AI naturally fits into automating those tasks. Because Splunk builds SOC software, we think we can help improve the quality and speed at which a SOC analyst can respond. An AI agent can then assist across detection, investigation, and even remediation, such as closing a port or quarantining a system.
With AI, anywhere a person follows manual tasks, there will be an opportunity to increase the speed at which those tasks are completed.
