Ep 20: Protecting a Fortune 50 Giant: How FedEx Deploys AI at Scale with VP & CISO Gene Sun

‍Evan: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security. Today on the show, we're bringing you a conversation with Gene Sun, Vice President and Chief Information Security Officer at FedEx. FedEx is a multinational courier delivery services company with over $90 billion in annual revenue, and over 500,000 employees globally. 

With billions of packages delivered every year, using the world’s largest cargo fleet, FedEx uses sophisticated technology to provide a unique delivery service to customers across the globe.

In this conversation, Gene discusses industry shifts from isolated point solutions to powerful, AI-driven platform strategies, AI as a growing tool for both attackers and defenders, and predictions for the future of AI powered cyber defense.

‍Evan: First of all, Gene, thank you so much for taking the time to join us today. Love, maybe, to kick off, for you to give our audience a little bit of background about kind of your career, maybe how you ended up where you are today in your current role at FedEx.

‍Gene: Well, you know, first of all, thank you, Evan and Mike to have me on, you know, I'm thrilled, you know, to be here with you guys and share what we all face in the cyber security. 

As far as myself, I grew up in China. So, you know, I came here for the graduate school in University of Memphis. You know, funny thing is In FedEx, you will find very common lots of people join FedEx as an intern. So I joined FedEx as an intern, you know, with my background as a double E electrical engineering, you know, engineer. So I started my career, not in the, uh, information security area.

I was hired as a software developer for e commerce application. And, so I did application development for the back office for sales automation. I did my career, you know, in the FedEx global infrastructure. You can think about the router switch, phone system. And before I joined information security organization, as a CISO about five years ago.

Evan: Do you mind sharing a little bit more about some things about, you know, FedEx that probably the average person might not appreciate, maybe even the average FedEx customer.

Gene: The scale of FedEx operation is just massive. There are few statistics I always use. We have over 200, 000 motorized vehicles worldwide. We have almost 700 airplanes worldwide. We're larger than most domestic airlines you can think of, our number of airplanes we have. We have physically almost 6, 000 physical locations, stations, hubs, office locations worldwide.

Uh, we have, Over 500, 000 team members worldwide. So, you know, one of the things probably categorize FedEx is our massive scale and how big our, you know, use cybersecurity, uh, terminologies, how big our tech services is. So I think that's probably one of the very prominent, you know, characteristic of our program here.

Evan: When you think about the next like maybe a couple of years, right? Imagine we're sitting here in three years, right? We're meeting with a handful of your peers. What are some of the things you think people will say that they're really happy they overinvested a little bit back in 2024?

Gene: I think one of the things we are moving away, you know, uh, with even within my program is, you know, for the past 10 years, we as a security organization, we have always go to the market, look at a different technology providers for the pointed solutions. And we also pride ourselves, find the pointed solutions for specific problems.

But moving forward in this whole AI driven world, I think you will be winner take all, uh, moving forward. I think we as a technology practitioners, we need to carefully think about what are the larger platforms we have to make bets on. Because, you know, always going to be innovated company or startup coming up. But if you don't have the scale or the data points to train your AI model to to provide the AI empowered services, I think that's that's going to be, uh, you know, full behind. 

So that's one of the things I advise my team as well as advise my, my peers. It is be careful who you are making bets on because this disruptive forces called AI is coming and there are lots of hypes for that. But when you look at it down the road, that's AI will fundamentally reshape both offense and defense side of the information security. 

Evan: You know, Gene, you kind of brought this interesting point about this like, um, winner take all dynamic. Do you mind kind of explain what you mean by that, right? Is it, like, the way I interpreted it was there's going to be some platforms which get a little bit ahead. They will get more data, working more customers, that data and their customers allowed to invent more technology. They can better use their data. And so it's not about like, you know, the future is not about the best point solution, but it's about the best platform that has kind of, that can accelerate their AI investments because those will kind of snowball and then because they become more dominant longer term and therefore it'll be a better platformer. And maybe share more what you mean by the winner take all. It's kind of interesting concept. 

Gene: Yeah, because, you know, in the AI world, scale matters. Everybody knows. Big, big language model, you know, big data platform, you know, in order for you, for your AI to, to work, that's why everybody's buying Nvidia chips like crazy, because they need those horsepower, those investment to crunch those data points to train the different iteration of the, of the model itself.

So, you know, I think there's a little bit of controversy. I don't know. If we can talk about that, it is, uh. You know, I'm sure you guys watched Eric Schmidt, his now famous interview at Stanford University, when he talked about, you know, there's only so much player can afford remain in the AI race. And, you know, to have a robust and useful AI model to sustain it, it's expensive. Economics dictate you have to pour all your investment to aggregate into a few players to do so. For the cyber security is it will be the similar things. At least that's my belief. 

I think there will be only a couple of large cyber security platforms will survive and will provide the fundamental engine, fundamental platform for all other additional innovation will start, will spawn up or spawn off from those platforms. Cybersecurity or security related AI models.

Evan: Are there any, like, um, just thinking like this concept of like, you know, winner take all is important because that means like, it'd be kind of, pick the wrong winner, right? You could be, you know, you could be on this multi year journey that's a dead end and you have to end up kind of rewinding, unwinding a little bit. Right. So it's probably a lot of consideration that security leaders need to think about as they choose the right technologies, the platforms, right. And this applies to, you know, I'm sure the team as well. 

What are some like the intangibles, right? You know, you have five vendors all do the exact same thing, right? What are some of the intangible, sorry, their product does the exact same thing. What are some of the intangibles that you look for in terms of like, the culture, the vision, the ambition, the level of partnership of customer service, you know, what are some of those things that you think are going to become disproportionately important for, you know, security teams, right. As they work with their vendors, right. In this, in this new era. 

Gene: Well, I, as a CISO, you know, when I look at my team, even my team, lots of times, you guys probably know this as well, our security practitioners love their tools and love their features. So, you know, I mean, we use your analogy of five technology, uh, security providers. They have five tools for, you know, typically we do those kind of bake off or, you know, those kind of, uh, comparison. 

I think right now we should seriously give less weight of time snapshot of the feature comparison. Because, you know, those one point is those vendors, they leapfrog each other all the time. So when you compare those kind of bake offs, it is only a one time snapshot. So that's one point. 

The second point, like you said, when the endgame, it's going to be a large AI model will empower Most of those tools, 5-10 years from now on, it is really look at deeper under the hood. Who are the players within this company? How deeply they are connected to the larger ecosystem, other large players. Also look at how much they are thinking about growing their capability as a larger model and are they ambitious enough to become one of the winner take all survival, survivors. So those are larger considerations I think we need to make.

Mike: How do you see attackers and cyber criminals also leveraging A. I. Because with everything that we can use it for positive, uh, they're pretty creative and figuring out negative ways to use it. What do you think the attacks are going to go? How do you think they're going to leverage A. I. for bad purposes? 

Gene: So when you compare today's phishing emails we received versus 10 years ago, 10 years ago, we all, you know, as a security practitioners, we kind of like shame our, uh, you know, colleagues who click on phishing email, kind of like, you know, hey, this email got a obvious Spinning error or grammar problems. Why did you fall for that thing?

You know, we all have all those jokes, you know, and we got a lot of mileage out of you know Joking to our CFO or whoever who click on the fail for those kind of scam. But today I can pretty much guarantee you all those phishing emails are generated by large language model and every single email we have looked at it, they are all with perfect grammar and perfect English and perfect language, whoever the target audience are no longer have grammar error or spinning error. Great context and everything else make it harder to detect. So that's one example. 

Another example, you know, there are lots of people, uh, bad guys, criminal organization wants to defraud FedEx. They want shipping for free without paying us. And they want to find our customers valuable merchandise and try to steal it. So you can view this as a fusion of cybersecurity and physical security together. So my team does this. 

And what we are starting to see is, you know, there are cyber criminals using AI technology to generate counterfeit FedEx shipping labels, when you think about this. And back then, in order to create a counterfeit FedEx shipping label, you need to have basic programming skill and knowledge to decode our tracking numbers to be able to generate Good and readable barcode for shipping barcode and everything else. Now all those AI removed those kind of all the technology requirements and criminals are increasing their velocity and, to perpetrate those kind of crimes and those kind of activity. So those are just some of the specific example. 

Evan: I think what I heard you say is like these AI technologies are now kind of reducing the barrier required to, um, to participate in crime. And so to what extent do you think that, um, you know, AI allows more people to be criminals, right. And like, and if that's true, right, like then what happens when, you know, AI is now creating more criminals that can send more sophisticated attacks, like faster and more effectively. Where does that, where does that take us? Right. You know, five years from now, what are the kind of implications of that right on the, our, you know, at the civilization level in terms of how we fight against crime? 

Gene: So there's a saying in my organization, it's a, it's, it's accepted fact. It takes AI to fight, fight AI. When FedEx TNT was attacked through the MEDOC application in Ukraine, we did a timestamp as well as forensics of every single step.

So we measured when the update gets pushed into the single machine in FedEx TNT estate in Ukraine, within five minutes, five minutes, um, entire worldwide TNT, 60, 000 windows PCs and machines and servers were breaked. So that was a velocity of propagation. 

So when you think about in that world, you have human beings cannot respond fast enough in that period to stop that spread, but I do believe there is an opportunity to use AI defenses, to detect, hey, there's something wrong going on here. This deploys some countermeasure, deploys some blocking, deploy some kind of segmentation. At least that's my hope. Um, to use AI powered, uh, tools to defend or slow down those kind of propagation and mitigate as and reduce our risk in the future. 

Evan: So I actually, I, I agree with you on that, Gene. I think that, but I don't know that's yet a common view, right? I think that that's still a slightly contrarian view, but I think it's, it's growing. You know, if that is all true, like again, what are the implications on, you know, the, the, the paradigm of how we do security, right? There's cybersecurity as a civilization, right? 

So forget vendors, forget customers, forget like the industry. But at the civilization, like we have to go stop against these attacks. And if we're going to a mode where there's more of these kind of AI powered attacks, you know, right now, kind of the paradigm for defense is you hire 100 analysts and you figure out all your systems and you dump all your data in your SIM and you create a bunch of alerts and people go through and they look at these things and there's a lot, it's all, it's very reliant on human analysis and human judgment, right? And that's worked, you know, that works probably much better than 10 years ago than it is today. But if we're going to the world you described, right, that seems like it becomes decreasingly effective yet. I don't know, we're not really on that great track as a solution to like, build a good AI to fight the bad AI, or at least the bad AI is being built a little bit faster, right? Because the criminals are more faster to adopt technology.

Gene: Well, you know, uh, I, I remain to be optimistic in the society. You know, when you look at human history, we face so many different challenges, so many disruption of technology. Somehow we survive and somehow we prospered, as a race, so I remain optimistic about our future. 

With that said, if you are into the cyber security risk management area, you don't put all your eggs into a single basket, right? We will rely on AI tools to fight AI, but we have, we have other measures. We have our business continuity measures. We have our disaster recovery measures. We have our plan B, plan C, plan D. All those require Human intervention and require people to think through. Those require people understand FedEx business and FedEx technology state to design those. So that's one, you know, I remain to be optimistic. 

The bad guys may find innovative use cases and to gain temporal advantage, but I do believe, you know, good guys will catch up. Will beef our defenses. And will come out ahead.

Evan: So, so maybe on the optimistic theme, like what are some of the areas that you think AI can have the biggest impact or security in the short term? 

And actually I'd love to hear almost your contrarian, like, what do you think it will have a bigger impact than you've seen your peers do? Or what do you see as the big opportunities that are maybe underappreciated by the average security team or security leader. 

Gene: Well, you know, I think, you know, there are also some kind of, uh, fear within the entire human society about AI will replace all the human beings doing the work. I have this saying, AI will not replace your job. People who know how to use AI will replace your job. 

Evan: We have the same saying in our company too. 

Gene: Yeah. So, so that's, that's how I, how I think about this whole, whole, our future and how we design, how we operate and how we talk to our, you know, practitioners in this space.

I remain to be extremely bullish on how AI can take us. I believe AI as a human oversight can really increase velocity of our today's defense. Human beings cannot respond fast enough, so I'm very bullish on that. 

The second area I'm very bullish on that on the AI's capability to tell me what is normal for every single human behavior, machine behavior, and application behavior. And to tell me, raise a flag on what's abnormal. That's, that's not impound to promote your brand, but, you know, it is what's abnormal. I think that's the future of cybersecurity. It is what is normal and detect everything that's abnormal and to use AI to deploy countermeasure as well as to respond in a swift fashion. I remain extremely bullish in that regard.

Mike: Yeah, I would say on the flip side, um, you know, I think AI has a lot of use cases, a lot of problems to solve. Where, where are maybe some areas where maybe the promises of AI might be a little overhyped or maybe not necessarily deliver the same results?

Gene: I don't know if we'll not deliver the same results, you know, when you think about this is, uh, um, I use analogy of internet. When you were in the year 2000, uh, if you are old enough, like myself, you saw the internet .Com bubble burst and there were lots of people, kind of like, doomsday say, okay, it was over hype, over promise. But when you look back 24 years, since 2020, all the promise of e commerce and .Com, 5g and everything else. All those prediction became reality, and it just did not come in the time horizon most bullish people were predicting. So, you know, I'm taking a little bit contrarian view of that. I think all those prediction will come true. It's just the time horizon may not be some people predicted. 

Evan: That's so true. Actually, that's such a good point, because even the most bullish prediction of the Internet in 1990 or 1995, right, we've surpassed those. 

Gene: Oh, yeah, we absolutely blew those. Absolutely blew those.

Evan: Like no one would even believe, right, that, oh, we're going to do a digital. You know, we're going to create a recording of a show together without ever meeting person, right? We wouldn't have believed that, right? You know, 30 years ago, right? That was beyond the fantasies of the early Internet pioneers. 

So you're kind of points like there's some similarity there with AI, right? Yeah, amazing. Have the first 10 years. But if you kind of zoom out a little bit, take a longer term perspective on, you know, civilizational advancement. Like, yeah, maybe it takes 20 years, maybe it takes 30 years, but these things are likely to come, you know, we, we probably will outpass even our own expectations.

Gene: Yeah, we will, we will find, here's my prediction of AI. I will say majority of today's AI prediction may not be, you know, operational, operationalize in the next three years. You may find additional use case operationalized as AI, but every single prediction probably will get operationalized in the next 20 years.

Evan: Alright, so in the last five or ten minutes, what we'd like to do is a bit of a lightning round. So we're kind of looking for like the one tweet answers. These questions are probably impossible to actually do that for us. So, um, but yeah, see if you can try to kind of keep it, you know, really short. 

and maybe Mike, do you want to kick it off for us? 

Mike: So what's one piece of advice you'd give to a security leader as they step into their very first CISO job? Maybe something they would overestimate or underestimate about their role. 

Gene: The first, uh, advice it is as a CISO working for a business, the number one currency you have is your credibility. Make sure you maintain your credibility with business, you know. 

Sometimes we as a cyber security, uh, leaders, we always bias towards risk is overriding else. But just remember, you are supporting a business. Make sure you are balanced and you're credible. 

Evan: What do you think will be true about AI's future impact on cybersecurity that most other people would think is science fiction today?

Gene: Well, like I said, the, the, I'll say AI empowered response without human intervention. Many people don't believe that many, many people don't feel comfortable doing that. That has to be. 

Mike: So on a more personal note, um, what's a book that you've read that's had a big impact on you and why? 

Gene: Well, you know, I, it was many, many years ago, uh, I, I read a book called, uh, uh, Guns. Uh, guns, steel and germs, and that was a book to talk about how those kind of, uh, um, you know, one time event, or some of the X factors will fundamentally reshape human events and human society, moving forward. Or change the course of the human history. When you think about it, we are the risk managers typically deal with those kind of things. Uh, we always have to look out those kind of unintended X factors. 

Evan: Okay, so maybe for the final question, what advice would you share to inspire the next generation of security leaders? 

Gene: You know, many people are scared and feared about security. Actually, you know, cyber security is cool. In a way, you know, call me a sick puppy, but, uh, but, uh, you know, especially like I said, in today's world, digital Is the forefront of the revolution the society is going, going through, and cyber security is, as a table for all those changes because you have to make sure all those changes are safe and secure. So you get experience and watch the transformation of entire society in a safe and secure manner in front of your eyes.

So I think it's a very worthy career and we're very noble profession. And it's in my mind. 

Evan: It's certainly a worthy mission, right? That we can, we can all use of all three of us, right? As, as recruiters to that mission, we're telling you guys, uh, we, we need some help over here, right? Um, it's a worthy cause.

Well, Gene, uh, thank you so much for joining us today. I mean, extremely impressive to hear, you know, just more about FedEx and kind of the scale impact you guys are having very inspirational and personally exciting. Just hear about your views about the future, right? I share your optimism and, uh, looking forward to chatting again soon.

Gene: Well, thank you, Evan and Mike. It's been fun. Uh, and, uh, let's all hope we can get all the help we need.

Mike: That was Gene Sun, Vice President and Chief Information Security Officer at FedEx. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the founder and CEO of Abnormal Security. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog

This show is produced by Josh Meer. See you next time.