The Security Interviews: Mick Baccio, Splunk
A lot of people struggle to pronounce the name of American politician Pete Buttigieg. When Mick Baccio, now global security advisor at Splunk SURGe and Cisco Foundation AI, went to work for him in a previous life, it was helpfully spelled out in large letters on the office wall. Buttigieg says it ‘Boot-edge-edge’, if you were wondering.
“I was like, oh that’s clever, thank you for that,” says Baccio. “I’m going to meet the man in a second, I should know this!”
A former US Navy Reserve intelligence officer who began his political career as the mayor of South Bend in Indiana, Buttigieg served as secretary of transportation during the administration of US president Joe Biden, from 2021 to 2025.
However, before that, he had a tilt at the White House himself, running a primary campaign that won in the state of Iowa, before he dropped out at the start of March 2020 as the Democrats rallied behind Biden.
It was on this campaign that Baccio met Buttigieg, and in conversation with Computer Weekly, he reflects on the experience of bootstrapping cyber security for a US presidential campaign.
Baccio admits he was sceptical about taking the gig at first, having just escaped Washington DC himself after serving as a threat intelligence expert for the Executive Office of the President under both Barack Obama and Donald Trump.
“I got a call one day. They said, ‘Hey, do you want to come be CISO [chief information security officer] for the Buttigieg campaign?’ I said ‘no’. I was like, ‘I’m good’,” he says.
“When you look at a political campaign in the United States, win or lose, you’re going to be unemployed in November.”
Someone must have kept on at him, because the record shows he took the job, and even though “president Buttigieg” did not take the job, Baccio has no regrets about his choices.
“It’s the most fun you’ll have,” he says. “The closest thing to a political campaign, I think, is a startup, but a campaign is a most unique organisation because it’s a non-profit funded entirely by donations and its sole purpose is to elect your mascot.
“Now, I say mascot not in a mean way, but secretary Buttigieg was not involved in day-to-day operations. He didn’t run things in the campaign – he was the campaign. He’s not even the CEO, he’s who we are – we’re Pete for America.”
In such a campaign, the role of CISO takes on a fundamentally different aspect, says Baccio. To start with, most campaign staffers are volunteers, or in their first or second jobs after university. “Most of them don’t even know what a CISO is. I had to explain that a lot, why I was there and what I was doing – teaching folks how to ‘do the cybers’,” says Baccio.
Such a campaign faces challenges that large organisations with security budgets and supportive boards do not. For one thing, every dollar that a political campaign spends on something like cyber security, office furniture, or coffee and doughnuts is a dollar it is not spending on winning votes, so Baccio quickly learned he had to operate lean and operate cheaply.
But despite what tales of Russian espionage and interference in US election cycles might lead you to believe, the campaign faced a threat environment much like any ordinary business.
“I think one of the most under-appreciated threat vectors is just plain old fraud and business email compromise,” says Baccio.
“This is a $100bn a year industry, and we talk a lot about the agentic AI [artificial intelligence] threat, polymorphic-enabled malware, APT [advanced persistent threat], blah blah blah – everybody wants it to be that, but it’s generally fraud,” he adds.
“I never underestimate folks who are just trying to do their job. If your job is to process invoices, it’s all you do all day, if you get a PDF labelled ‘invoice’ you’re going to open it. Fraud is a bigger problem than any APT or AI attack, but I don’t think it’s sexy enough to get column inches.”
Five a day
Indeed, an often-neglected security message, and one Splunk is keen to repeat, is the importance of eating your cyber vegetables – that is to say, nailing the basics.
Having driven around this block several times over the years, Baccio thinks these vegetables account for at least the bottom third of the cyber food pyramid.
“You know you’re supposed to drink lots of water, you’re supposed to eat lots of green things, and if you don’t, your body reflects that,” says Baccio. “And you know you’re supposed to MFA [multifactor authenticate] all the things, you know you’re supposed to segment your network, you know you’re supposed to patch your things – and if you don’t, your network gets popped.
“I’m not saying do all these things and you’ll be okay, I’m saying do all these things and you’ll be in a better position.
“Hackers don’t hack the cloud, they log in. They’ve already bought those credentials from an access broker. They’re not hacking anything. But if I have phishing-resistant MFA available to me, they might not be able to log in, the account takeover won’t happen, and the rest of the cyber attack changes going forward. So it’s those things that I think go a long, long way towards raising that overall bar.”
Blue collar for the blue team
Splunk SURGe was set up to help defenders tackle real-world problems that they face today, with a mix of actionable guidance, in-depth analysis on cyber issues and practical solutions during fast-moving security panics. Think of its output as a cyber buffet with excellent vegetarian options.
SURGe had its genesis during one of the “headless chicken” moments, when unit founder Ryan Kovar was poring over various Slack groups one evening and spotted a lot of chatter surrounding an apparent SolarWinds compromise – heralding the now legendary Sunburst/Solorigate incident.
In the wake of this, Kovar realised there was a big gap in Splunk’s offering, in that the company had pretty good tech and processes when it came to applying data science to security, but wasn’t so hot at cutting through to the human side of things.
In short, it wasn’t being holistic enough.
“Hackers don’t hack the cloud, they log in. They’ve already bought those credentials from an access broker. They’re not hacking anything. But if I have phishing-resistant MFA available to me, they might not be able to log in, the account takeover won’t happen, and the rest of the cyber attack changes going forward”
Mick Baccio, Cisco Foundation AI
That said, Kovar – in his own words – “wasn’t sure the world needed yet another security vendor research team”, so he formed SURGe to be a practical resource for users, or “blue collar for the blue team”.
Baccio was intimately involved in the unit’s creation – Kovar credits him with coming up with the “blue collar” line – and several years down the line, he still spends a lot of time helping Splunk’s customers make sense of the security landscape through blogs and other forms of outreach, as well as participating in a regular series, Coffee talk with SURGe.
He reflects: “I’m really lucky that I was in the Buttigieg campaign, that I was at the White House prior to that, the Pentagon, HHS [the Department of Health and Human Services], the CDC [Centre for Disease Control], and I’m now able to take all of that experience and bring it into SURGe and say, ‘These are the security things I’ve seen in my career – this is what I believe people want’.”
Threat intel at the foundations of AI
However, since July 2025, SURGe’s core mission has changed somewhat, after it transitioned to work within Cisco Foundation AI, a new initiative by Splunk’s network-centric parent that is developing open-weight, security-specific AI models.
In April 2025, Foundation AI launched Foundation-sec-8b, an eight-billion-parameter large language model (LLM) expressly designed to enable security teams to work faster, act more precisely and scale their operations without compromise.
You might reasonably wonder what a threat intelligence unit is doing jumping into bed with a bunch of LLM developers. Baccio himself declares he was shocked when it happened, but now he thinks it may be the smartest move Cisco has made since acquiring Splunk.
He characterises it as bringing SURGe’s collective experience as a steward of threat intelligence and a trusted advisor to customers to bear on a highly technical field and build AI tools that actually help security teams.
The advent of agentic AI in the past 12 to 18 months helps drive this narrative forward, says Baccio, and makes the promise of AI more real, at least compared to where it was a couple of years ago.
“If I throw generalised AI at a cyber problem, it’s not going to be great. But if I built a very specific model to do a very specific thing, then, yeah, that’s what I wanted a year ago when you sold me this AI hype,” he says. “Agentic is focused on one task, and it’s going to do it really well, but don’t ask it to do anything else.”
He cites the work of his colleague Shannon Davis, a principal AI researcher at Foundation AI, as a case in point. Davis created a tool called PLoB – standing for post-logon behaviour – to help detect intrusions instantaneously.
“To my point where you don’t hack the cloud, you just log in, after you have done so, PLoB detects all the activity that you’re doing and will be able to say, ‘This is a malicious actor’ or ‘This is just Mick from research’,” he says.
“Being able to do that at machine speed is something we’re going to have to lean into more when you take into account API calls, non-human identities, and all these things we’re introducing to the Rube Goldberg machine of the internet.
“Learning how agentic is applied becomes critical,” says Baccio as he looks ahead. “We have some stuff going on in the background that I can’t speak to, but we’re actively working together to brainstorm ideas and build these things to help move that Sisyphean security rock further up the hill. I’m excited about that. We’re going to help to keep someone’s security programme a little more secure.”
