CISO Series Podcast — May 20, 2025
Episode: Why Learn Security Fundamentals When We Could Just Chase Our Tails?
Hosts: David Spark, Jesse Whaley (CISO, Amtrak, guest co-host)
Guest: Vaughn Hazen (CISO, CN – Canadian National Railway)
Theme: How enduring security fundamentals, practical regulation, and human-centered practices shape resilient organizations, even amidst shifting technology and regulatory pressures.
Episode Overview
This episode brings together the top rail security leaders from the US and Canada for a candid discussion on enduring cybersecurity principles, the realities of regulation, evolving threats (notably AI and supply chain risks), and why people—not just tools—remain central to cyber defense. Rooted in lived experience and recent regulatory shifts, the conversation digs into practical collaboration, vendor management, measuring AI’s real impact, and the perennial challenges of security tool risk. Throughout, the hosts favor grounded, proven approaches over chasing the latest buzzwords.
Key Discussion Points & Insights
1. The Enduring Value of Security Fundamentals
- Legacy Lessons Still Apply
- The show opens with Vaughn Hazen’s cautionary tale (00:03) about the perils of underestimating differences between security tools—torchlighting the need for diligence and caution, even (or especially) with supposedly time-saving tech.
- Are Today’s “New” Security Concepts Actually New?
- David Spark poses whether Adi Shamir’s 1995 "10 Commandments of Commercial Cybersecurity" still hold up (04:23).
- Jesse Whaley: “The basic fundamental sound practices of cybersecurity still hold true… all companies need to have good cyber hygiene practices: patching, strong passwords, MFA, managing vulnerabilities…” highlighting that core principles remain relevant, even as technology evolves. (05:20)
- Vaughn Hazen: Recalls Microsoft’s "10 Immutable Laws"—“If I can persuade you to run code on your computer, it’s not your computer anymore” (07:12)—underscoring that while threats and tooling change, foundational risks and mitigations remain constant.
- Both agree that while terminology evolves ("zero trust", "defense in depth"), the concepts themselves are decades old.
- Quote (Vaughn Hazen, 08:37): "Security is complicated, and when you try to simplify it down to a one-liner or one-layer, it’s not going to function."
- David Spark poses whether Adi Shamir’s 1995 "10 Commandments of Commercial Cybersecurity" still hold up (04:23).
2. Regulation Realities: The TSA and Rail Industry Cybersecurity
- US & Canada Rail Security Mandates
- Spark introduces new TSA rules proposing formal security regulations for railroads (09:05).
- Vaughn Hazen: Candidly critiques the TSA’s approach—more form than function and sometimes mismatched with railroad operations:
- “We welcome constructive collaboration in combating nation-state attacks...but I will challenge the assertion that the directives have become more outcome-focused.” (09:58)
- Highlights real-world miscommunications—from irrelevant requirements (focusing on passenger data for a freight railroad) to impractical 24x7 coordinator demands and loss of legal challenge rights (10:39–12:44).
- Jesse Whaley: Notes improved coordination among US railroads via industry groups (12:55). While Amtrak faced different hurdles, similar themes of misaligned definitions and communication hurdles with TSA recurred.
- "The first step… is to identify your critical cyber assets… what I view as critical isn't the same as Vaughn’s—so there’s a clear misunderstanding at the TSA policy level." (15:13)
3. Tools vs. People: "What’s Worse" Game
- Which would you rather have: all the tools but no staff, or a small team and no tools?
- Both Jesse and Vaughn quickly side with people as the non-negotiable asset.
- Jesse Whaley: “Why have tools if you don’t have anybody to use them?... you can just hire the right people that know how to work with open source tools and could develop the tools that are needed.” (18:59, 19:16)
- Vaughn Hazen: “People make the difference… Even if you bought all brand new tools... in a short period of time they’ll be outdated... The reality is people make the difference.” (19:46)
- Both Jesse and Vaughn quickly side with people as the non-negotiable asset.
4. Practical Use & Impact of AI in Cybersecurity
- Is AI Transforming Defense?
- Spark asks for evidence behind vendor AI claims (20:50).
- Jesse Whaley:
- Defensive AI: “Not seeing a whole lot of fresh value from AI just yet... It’s not saving the day yet.”
- Offensive AI: “Where I’m seeing more… is on the offensive side—threat actors crafting perfect phishing emails.” (21:39)
- Where AI is helpful: natural-language data searches and executive summaries, but not “transformative.”
- Vaughn Hazen:
- Recognizes the longstanding benefit of machine learning in malware detection, but cautions that the best benefits of new AI platforms (e.g., security copilot) require tightly coupled vendor ecosystems, which most orgs lack.
- “It’s about building efficiency in the way that your team works. And so I think there’s value there...but most organizations are not set up that way.” (23:16)
5. Supply Chain & Security Tool Risk
- Treat Security Tools Like All Other Software
- Spark asks: Are we accounting for the risk our own security tools introduce, especially given their privileges? (24:19)
- Vaughn Hazen: “Every single thing you add into your environment increases your attack surface... all software is vulnerable.” (25:24)
- Advocates minimal tools, regular rationalization, and continuous maintenance.
- Jesse Whaley:
- Amtrak has a mature vendor risk management process; past breaches or audit failures influence vendor selection.
- “If they've had a breach, we want to talk about it... every company... should have patch management, vulnerability management, configuration management…” (27:14)
- Vendor Response to Breaches—What’s Acceptable?
- Jesse Whaley:
- Bad: Silence or no public outreach.
- Good: Proactive, multi-channel, leadership-level communications and clear remediation steps.
- Vaughn Hazen:
- Bad: “When an organization tries to shut down those who are drawing attention to a problem…they deny and say, ‘It’s not really a vulnerability, it’s working as designed.’”
- Good: “When they communicate clearly, take responsibility, and work to clean it up as quickly as possible…” (29:43–30:56)
- Jesse Whaley:
Notable Quotes & Memorable Moments
- Jesse Whaley on Security Fundamentals (05:20):
"All companies need to have basic and good cyber hygiene practices. I don't think that's going to change regardless of AI or the next big thing."
- Vaughn Hazen on Zero Trust and Layers (07:12):
“You cannot depend on a single layer to really solve all your security problems… security is complicated and when you try to simplify it down to a one-liner or one-layer, it’s not going to function.” (08:37)
- Jesse Whaley on Tools vs. People (19:16):
“We could hire people, but there’s no tools for them to use… we can just hire the right people that know how to work with open source tools and could develop the tools that are needed.”
- Vaughn Hazen on Vendor Breaches (29:43):
“When an organization tries to shut down those who are drawing attention to a problem… they make threats and otherwise try to shut down those researchers… if they deny and say, 'Oh, it’s not really a vulnerability, it’s working as designed…' That’s a problem.”
Timestamps for Key Segments
- 00:03 — Vaughn’s biggest security mistake: neglected differences in scanners crippled operations
- 04:23 — Are the old security commandments still relevant? Enduring principles
- 09:05 — TSA rail directives: intended collaboration versus regulatory frustration
- 12:55 — US rail association & industry group collaboration; regulatory disconnects in defining critical assets
- 17:35 — "What’s Worse" game: tools vs. people in security orgs
- 20:50 — AI’s real vs. hyped impact on security defense
- 24:19 — Treating security tools as part of your attack surface; vendor supply chain risks
- 28:48 — Vendor responses to security incidents—what actually matters for trust and continued business
Conclusion and Hiring Notes
- Both organizations are hiring, but retention is high.
- Jesse: “We're always on the hunt... whether it's here at Amtrak or I kick them over to Vaughn...”
- Vaughn: “We do hire, for key roles... but low turnover.”
This engaging, candid episode serves as a reminder that fundamentals—well-understood and applied by experienced human teams—remain at the heart of security, regardless of technological trend or regulatory fashion. Vendor partnerships, regulatory compliance, and new tech like AI all demand vigilance, but none diminish the need for strong principles and high-quality talent.
