Why Learn Security Fundamentals When We Could Just Chase Our Tails?

David Spark

Biggest mistake I ever made in security go.

Vaughn Hazen

The biggest mistake that I ever made was believing that all tools are the same. About 20 years ago I was working with Qualys Vulnerability scanners and our MSSP partner said, hey, we just penned a commercial deal with this new partner. It's going to save you a ton of money. So we went ahead and took advantage of it. That organization, which is no longer in business, had this unique aspect where they would scan adjacent IP addresses and we had specifically blocked out certain IP addresses not to scan because at that time the voice applications were transitioning from serial to tcpip and they were running over tcpip, but they were really not ready for primetime. So if we scan them, it created problems. Well, when this thing was scanning adjacent IP addresses, it shut down our call centers. So yeah, that was probably the biggest mistake mistake I've made.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series, my co host, a guest co host for today's episode, but you've heard him on the show many times before you it is the CISO for Amtrak. None other than Jesse Whaley. Jesse, say hello to the nice audience.

Jesse Whaley

Hello, nice audience. It's great to be back on the show as David's co host today. Thanks for having me.

David Spark

David, we love having you on. In fact, I believe you were my guest co host. We did a show in Tel Aviv like two years ago that was a ton of fun.

Jesse Whaley

Yes we did. That was awesome.

David Spark

We're available over@cisoseries.com and our sponsor for today's episode is Doppel Defend. What's real, Disrupt what's not? A purpose built platform that stops social engineering at scale, powered by adaptive AI and human expertise. That's Doppel. More about that later in the show. Jesse, this episode is dropping in May, which will be after rsa. You will be going. Now. We can't talk about how we enjoyed rsa, but let me ask you, what do you do to prepare to go to RSA and what is it for successful RSA for you?

Jesse Whaley

So I always have to go to RSA with a plan and I think we may have talked about this before because if you don't go there with a plan, all you'll leave there with is a hangover because of all the parties and dinners and everything else that goes on at rsa. So typically my plan is, you know, pick a couple of the big talks that I want to listen to to see what some of the other strategic thought leaders are thinking around the country and around the globe this year. I do have a couple of folks on my staff spe, so of course I'll go support them and cheer them on as they're on the RSA stage. I typically participate in the Night Dragon Innovation Summit, which is adjacent to the RSA Summit, but a lot of my time is actually spent meeting with various industry colleagues and vendors and taking advantage of all the people being in one location.

David Spark

Yeah, that is the key thing. It is essentially the gravity that this event creates of bringing people together is really its greatest power. In fact, I'm gonna actually bring our guest in now because it's kind of a big deal that this guest is on today. This has been a long time coming because you are the CISO of the rail company for the entire United States and we also have the CISO for the rail company of the entire country of Canada, none other than Vaughn Hazen, CISO for CN Von thank you for joining us today.

Vaughn Hazen

Thanks, David. Good to be here.

David Spark

Are you going to be going to RSA this year?

Vaughn Hazen

I usually go to RSA because the Executive Security Action Forum that I take part in. But yeah, I'm usually there.

David Spark

And let me ask you, is your plan in any way different than what Jesse described?

Vaughn Hazen

Yeah, except I won't have the hangover. I never drank.

Jesse Whaley

Well, I'm not looking for that either, but you know, it's just sound advice. Come up with a plan other than.

David Spark

To other than a hangover. Don't have that as your plan.

Jesse Whaley

Absolutely.

David Spark

Didn't we solve this already?

Quote People in cybersecurity assume that every challenge our industry is experiencing today is new and has never been faced by those in other fields, end quote. This trend was noted recently in a blog by Ross Haliluk. Now, while threats might be new, the underlying principles of sound cybersecurity seem to have stood the test of time. He points to a 1995 talk by Adi Shamir, one of the developers of the RSA cryptosystem that laid out the 10 Commandments of Commercial cybersecurity. They all sound remarkably relevant, like don't aim for perfect security, don't trust systems, don't trust people, and don't rely on a single line of defense. Sounds a lot like defense in depth and zero trust to me. So I'm going to start with you, Jesse, on this. Do ADI's 10 Commandments hold up, or has the cybersecurity landscape shifted enough that we do need to work from different Things foundational principles.

Jesse Whaley

Well, David, I mean I do think Adi's commandments do hold up. I mean the basic fundamental sound practices of cybersecurity still hold true regardless of how the environment evolves around us. How we respond to those may change over time. But all companies need to have basic and good cyber hygiene practices. And we're talking about patching their systems and keeping up to date. Changing passwords frequently, having the right password combinations as defined by a governing body like NIST today, multi factor authentication, reducing your attack surface, reducing the amount of systems that you have connected to the Internet and kind of all of those and understanding where your assets are and managing vulnerabilities within those assets are sound principles that I don't think are going to change regardless of AI or the next big thing. I think a lot of cybersecurity to me revolves around the data. What do the threat actors want? They want data or they want to disrupt your operations. So having good governance around data and data security hold up for protecting against new technology that you introduce to your environment like generative AI, large language models and things like that.

David Spark

So throw this to you, Vaughn. I mean this talk was 30 years ago and yet we talk about principles like zero trust and defense in depth. Not so much as new, but zero trust is seen as quote new. But really this is nothing new, it's just new labels, if you will. In 30 years or I don't know how many years you've been in cybersecurity yourself, Vaughn, have your principles in cybersecurity changed or shifted in any way and very possibly could have. Just wondering what has evolved, if anything. Again, principle wise way we secure definitely has evolved.

Vaughn Hazen

Yeah, exactly. Well, I think what's interesting is you had this one that was about 30 years ago and about a few years after that you had the 10 immutable laws of security that were delivered by Microsoft and both of them hold up very well today. There's a few changes, but the idea is of hey, if I can persuade you to run code on your computer, it's not your computer anymore. If I can alter the operating system, it's not your computer anymore. If I have unrestricted physical access to your computer, it's not your computer anymore. Weak passwords trumping strong security. All of these things are really basic principles that hold up over time. We may use different tooling. In the cloud things are a little bit different, but when you hear concepts like, well, identity is the new perimeter and things like that, it underlies that weakness of you cannot depend on a single layer to really solve all your security problems. And so when we have people bring up thoughts like that, you really have to challenge that and say, okay, yeah, but what happens when. And really ask those questions. And you know, we talked about my worst mistake. I do remember when I was talking to the founder of Ubizin and this was 20 some years ago and he was all excited saying, yeah, you know what, I'm telling people that we're only looking at layer three and above. That's where security's at. We're going to be going there. And I said, well what about DDoS attacks and things like that? You could see that he didn't really think about that. And that's the thing is security is complicated and when you try to simplify it down to a one liner or one layer, it's not going to function.

David Spark

We've got both types of issues. Compliance and regulation.

As of this reporting, the TSA has just closed the request for comment period on its proposed rules that could shift cybersecurity directives impacting the rail industry into formal regulations. Now these could potentially require rail operations to designate security coordinators and set a 24 hour reporting window for incidents. The TSA has been iterating on its CyberSecurity directives since 2021, starting out fairly prescriptive and rigid, but in subsequent directives focusing more on outcome based structure. So I'm going to start with you Vaughn, on this. What's been your involvement in these directives and regulations? So sort of just give us a general background and what would make your job easier and two of you talk about these things like this very issue because I mean, I gotta assume that your problems are kind of somewhat a mirror of Jesse's problems. Yes.

Vaughn Hazen

So let me start out by saying we welcome constructive collaboration in combating nation state attacks on critical infrastructure. We don't have the intelligence apparatus of the federal government, but I will challenge the assertion that the directives have become more outcome focused. We've had challenges with the consistent approaches or the level of qualification of the field cyber experts that have been fielded by the tsa. And so we had some really serious discussions with them on math. They wanted to have basically over a three year period, all of your security controls to be tested. And we came up with a strategy of saying, okay, we're going to take all of our critical cyber systems and do all the controls for each of a third of those systems on one year. And so by the end of three years we would have done all of them. They came back and said, oh, well, that doesn't meet with the requirements. And we were arguing over math. This is the kind of challenge that we've had with a lack of understanding. We've even asked them, well, why are you promoting encryption? And they've made statements, well, you have passengers, right? And we have to tell them, no, we're actually a freight railroad. Jesse does have passengers. We're carrying freight. They really don't understand the objectives of what they're trying to do. And when you say, oh, well, they're more outcome focused. Well, then why are they insisting on declaring? They get to decide what our critical cyber systems are. If it's really outcome focused, then you look at the notice of proposed rulemaking. They're requiring U.S. citizenship for those cybersecurity coordinators. My team is primarily based out of Canada, and they're primarily Canadians. I happen to be a US Citizen. I have been working as the. The cybersecurity coordinator for the security directives. But when they're asking to have somebody available 24. Seven, I don't want to be that guy. We've got a security operations center. Why can't they go to our security operations center that does operate 24 by 7, tell me who the TSA is bringing up and saying, this is our contact for you 24x7. They don't have one. This is not fair the way that they're trying to drive that. And they've also put in this notice of proposed rulemaking to remove the right to challenge in court the kinds of things they're doing. And basically, they're going to make it to where we really don't have any way to give them feedback that they will pay attention to, which we've seen over and over through the security directives. So I really, again, we welcome constructive collaboration, but that's not what we've been seeing over the past several years as we've tried to fight through these security directives.

David Spark

All right, very much understand. Jesse, I throw this to you. What has been your experience? Have you talked with Vaughn about the frustrations?

Jesse Whaley

So I'll start with, we both participate in association of American Railroads Rail Information Security Committee, which is all the big freight rails, plus Amtrak, plus a commuter rail, kind of representing the broader rail community in the United States. So we've collaborated extensively as a group. And while I think there are some challenges that Vaughn has had, I've had different challenges. I haven't had some of the same challenges that he has. And there's also another group that we participate with is called the North American Transportation Security Consortium, which is basically all of the passenger transportation companies in America. They come together and they discuss things like the security directives. I do think where there was discussion around the security directives being more prescriptive at first, I think that was true for the pipelines. They were kind of the first to go through this. And we collaborated very closely with TSA saying that, well, that doesn't make sense for rail. And so the initial ones were actually quite simple in my opinion. So there's appoint cybersecurity coordinators to collaborate TSA and CISA on cybersecurity matters. It was fine for me. I have mostly US citizens on my staff. There's four layers deep, although I would much prefer that we can just provide the phone number for a 24 by 7 operations center and have them call that. But no, they want a person to talk to on a 24 by 7 basis. The second thing in the initial set of security directives that we were required to do is have a cyber Incident Response response plan. Seems like a good thing to do anyways. And all companies should have a cyber Incident response plan. The third thing was to complete a vulnerability assessment and submit that to TSA so that they could see what your vulnerabilities are. Also a good thing to do. However, TSA wanted us to, you know, use their template to do our vulnerability assessment. And then when we initially submitted the vulnerability assessment, their website wasn't ready to receive it. It didn't have SSL TLS certificates. In fact, our internal security controls rejected us from connecting to the site to be able to upload it. So that was interesting, but we worked with them and they got it fixed right away. And the fourth thing was to report all critical cyber incidents to cisa. We've been reporting as required, but we really haven't seen the benefits of that reporting. What's the benefits to the broader industry, the broader community? So those were the original security directives that were issued and continue to be reissued. And you'll find them in the notice of proposed rulemaking. What's additional that's come later with the security directives is to have a cybersecurity implementation plan. The first step of that cybersecurity implementation plan is to identify your critical cyber assets for your company. That has been a little bit of a challenge because what I view as my critical cyber assets are not necessarily what Vaughn views as his critical cyber assets. So when I have a system that I have on my list, Vaughn has that same system, but it's not on his list because it's not critical to his business operations. Then there's a clear misunderstanding kind of at the TSA policy level. So we've had some struggles kind of working through those differences and nuances throughout the rail industry.

David Spark

Before we go on any further, I do want to tell you about our brand new sponsor, and that's Doppel. Now, Doppel is the first social engineering defense platform purpose built to dismantle impersonation threats before they cause harm. Now, while legacy tools focus on detection and alerting, Doppel goes further, using AI and infrastructure correlation to link phishing emails, fake domains, deepfakes, and impersonation campaigns across channels. From executive protection to brand impersonation takedowns, Doppel doesn't just flag threats, it disrupts them at the source. Every attack fuels their shared threat grid, giving every customer the benefit of collective intelligence. The result? Faster disruption, stronger resilience, and fewer opportunities for adversaries to profit. Doppel makes digital deception unprofitable, protecting your people, your reputation, and your revenue in a world where social engineering is now the biggest threat to enterprise security. For more, you got to go to their website. That's doppeL-O-P-P-E-L.com doppel.com.

It'S time to play what's Worse.

All right, Vaughn, I'm sure you. You know how to play this game, right? Two horrible situations. You have to pick which one's worse. I will make Jesse answer first, and then you have to decide if you agree or disagree. Now this, we have had a variation of this very scenario in the past, so it's a little bit of a rerun before, but I thought it's time to bring it back. Two new guests, so we're going to address this one again. It's come from Edward Fry of Luminary Cloud. And, Jesse, this is for you. You start a new role, and you're excited for the company. When you get there, you find out that it is a clean slate with no existing tools or staff. What's worse, you're allowed to purchase many tools, but you're unable to hire any staff nor contractors. So that's scenario number one. All the tools you want, but no staff or contractors. Or you can hire a team of four or five staff, but you're not allowed to purchase any tools or services. Which one's worse?

Vaughn Hazen

Ooh.

Jesse Whaley

So on one hand, you can buy all the tools that you want, you can deploy all the technology that you want, but you don't have any staff to manage those things. Or to even monitor any of the alerts that come in.

David Spark

Why have tools at this point? Right.

Jesse Whaley

Why have tools if you don't have anybody to use them? In the second scenario would be we could hire people, but there's no tools for them to use.

David Spark

Although you could go open source here and we've had discussions, we could go open source.

Jesse Whaley

So in this scenario, I mean, what's worse is being able to buy a bunch of tools that will never get used because you don't have the staff to use it. And the other one is better having people because you can just hire the right people that know how to work with open source tools and could develop the tools that are needed. So assuming we can hire the right people, second scenario is definitely better.

David Spark

Yes, I'm feeling that's the case. Vaughn, are you agreeing or disagreeing at this point?

Vaughn Hazen

Yeah, so I'm going to agree. And the thing is people make the difference. The reality is, even if you bought all brand new tools and they were all great, the reality is in a short period of time they'll be outdated. Even if you had AI running them, they're gonna be outdated and they're not gonna function anymore. The reality is people make the difference. And that's a no brainer.

David Spark

Yeah, this is a reasonably easy one because if there was a world of no open source, then this would be maybe a little more difficult. But being that there's a world of open source, this makes this is an easier decision, doesn't it?

Jesse Whaley

And I'd say, you know, even if we didn't get to use open source in that, that scenario, we'd hire developers to develop things in house.

David Spark

Yeah, okay, there you go. Good point. So you'd always lean on humans.

Jesse Whaley

Absolutely.

David Spark

Rather than having the machines take over, as Vaughn had pointed out, even if the AI took over wouldn't work.

What about this AI security challenge?

It's hard to find a vendor who isn't quick to tell you how AI will transform some aspect of cybersecurity. But where is the data to back that up? Quote, prove it with data was a challenge posed by Christopher hoff, who's a CSO and CTO at LastPass. Now he argued that when you look at the data for what these AI tools can do, what you're left with is a single digit percentage change in operation. So let me throw it to you guys. Are you seeing AI transform cyber? Because this is definitely, I guess we would all like it and the vendors would like this too. And I'll start with you, Jesse. What data are you using when evaluating these tools? So are you seeing any true significant transformation through AI?

Jesse Whaley

I think it depends on what type of AI we're talking about. I mean, I assume we're talking about generative AI because that's the hot buzzword of the day. I mean, so far, let's say on the defensive side of things, not seeing a whole lot of fresh value from AI just yet. I think there are lots of companies developing in this space and certainly we have some things that we're trying out, but it's not saving the day yet. Where I'm seeing more, I think generative AI used is on the offensive side of things, where we've got threat actors crafting perfect phishing emails now. Right. And a lot of the red flags that we had our employees looking for before just aren't there because the generative AI is developing new social engineering materials for the threat actors. Back on the side of the data, the things that we want to know, most of our cybersecurity questions that we have or cybersecurity challenges, we can understand those challenges, we can answer those questions with data. So data is very important to us. So that's where I see the value starting to grow is being able to quickly answer those security questions in normal English language prompts and getting an answer back that is in almost executive summary format.

David Spark

Okay, Vaughn, I throw this to you. Are you seeing and literally entered any way you want, any significant impact with AI in any manner? And if not now, how are you measuring to try to see that it is?

Vaughn Hazen

Yeah, so look, we've had machine learning and like anti malware and all that for a long time and it has been effective. It's taken away from the old approach of using signature based antivirus and all that garbage that just couldn't keep up. So we've seen some benefits of subsets of AI already for a long time. I agree with what Jesse has said. You see things like Microsoft's security copilot where you can go in and ask questions and query and they're using the AI to pull all that reporting information and give you a summary of data so that you can really investigate a lot faster. And it's about building efficiency in the way that your team works. And so I think there's value there. But to take advantage of that value, you really have to have like an all Microsoft solution set up to get the best benefit out of that. And you know, most organizations are not set up that way.

David Spark

Unexpected outcomes or failures.

Security tools are part of your software supply chain and can introduce risks just like anything else. They often do with damning impacts. End quote. This is a review of CISA's top routinely exploited vulnerabilities often features security products, noted Chris Hughes of Acquia in a recent blog post. You pick the big vendor and they are likely accounted for. And despite this, security incidents from vendors often don't seem to move the needle with market share or the company's bottom line. And we've actually saw this with the Verizon data breach investigation report as well. Are we adequately accounting for our own security tools as part of our attack surface, especially when they almost all run with elevated privileges? Key to note. I'll start with you, Vaughn, and should this impact how we think about who we buy from? So, I mean, let me ask you, when a tool fails in some massive breach, does that calculate into your purchasing decisions?

Vaughn Hazen

So I think that the reality is you've got to appreciate that every single thing that you add into your environment increases your attack surface. That's the reality, because all software is vulnerable. Every single thing. And so when you see organizations that have multiple tools that do the same thing, you're basically just looking at an enhanced attack surface. So we try to limit our tools, we do a lot of rationalization on our security landscape. But the fact of the matter is, as we talked earlier about the need to go back to principles that apply, the 10 laws and all that kind of thing, and you still have to have a layered security. You cannot depend on a single solution to solve all your problems. But that doesn't mean that you buy a plethora of point solutions and increase that attack surface. So you reduce the number. You get tools that have less of an overlap but are complementary in terms of the protection that they provide, and you constantly maintain them so that you don't have anything that has a known vulnerability that you're not addressing. That's the basics of it, and that's the reality. You're going to see vulnerabilities in every single software that you deploy.

David Spark

So you treat security tools no different than any other software in your environment.

Vaughn Hazen

In terms of the risk that they are to the environment? Absolutely.

David Spark

All right, Jetsi, you're nodding your head.

Jesse Whaley

No, I absolutely agree with that, David.

David Spark

So lean into that a little more. And then and tell me, does the history of a tool affect your purchasing decision, how it sort of reacts in the environment? The stories you hear about, because we hear this tools that everybody relies on get hacked. Does that affect your decision making?

Jesse Whaley

Oh, it absolutely does affect my decision making. We do have a supply chain risk management program at Amtrak. And some of those things are items are what we vet new vendors on before we even go to commercial negotiation with a vendor. Like if they've had a breach, we want to talk about it. If they've failed an audit or have some compliance issues, we want to talk about it. So I think every company, mature company or a company that's maturing should have a patch management, vulnerability management policy, configuration management policy, disaster recovery plans, you know, resiliency strategy, things like that. And all software kind of falls into that some way. Obviously some are more critical than others. But even if your non critical software can still pose a risk to the environment. So when we're reporting risk and vulnerabilities to the executive teams that can go out and fix things, the issues that we find in our environment, we're reporting on security tools as well. So I might have a list of things that I'm responsible for going that fix in any given risk review cycle.

David Spark

Let me ask both of you because you made a comment and I'll start with you Jesse, and go to you Vaughn as well. So big security tool X has a very bad public situation. You do want to talk to them about it? What is a good response of how they're dealing with it and what's a bad response? And have you heard both? So give me an example. Good to respond this way, not good to respond that way, Jesse.

Jesse Whaley

So a bad response is really they either do nothing or there is no public outreach. There is no outreach to their customers saying hey, we had this problem, this is how you need to fix it. So no communication at all is probably the worst that we can see. On the good side, it's really just increased communications with, with their customers. That's starting with sending emails or text to their contacts at the company, let them know that we had a problem following up with an email with a memo saying hey, we had this problem, we're going to set up a call to talk you through it. And then it's almost face to face conversations with their executive leadership, with their cto, CEO, their CISO and discussing the challenges and getting advice from them and how we can and fix whatever challenge they may have caused in our environment.

David Spark

All right, Vaughn, anything to add to that of what has been a good bad response?

Vaughn Hazen

Yeah, so I'll add to the bad response. When an organization tries to shut down those who are drawing attention to a problem that's there, they make threats and otherwise try to shut down those researchers.

David Spark

Or whoever it Is, yeah, we've seen this happen before.

Vaughn Hazen

Yeah. Or if they deny and say, oh, well, it's not really a vulnerability, it's working as designed. If they don't accept that they may have an impact in our environment, I think that's a problem. And certainly a poor response to that because they're more concerned about their liability, that they may be held accountable for the impact that they're having in our environment, rather than worrying about how they help us get to where we need to be to secure our environments and be resilient against the attacks. And I agree with Jesse. When they make the outreach, when they communicate clearly, when they take responsibility and they work to clean it up as quickly as possible, sometimes they may adjust and fix it before they make everybody aware of it because they don't want to make it visible that there's a problem before they can fix it. I understand that. But when they deny and they don't work to clean it up, that's a problem.

David Spark

Well, excellent. We're going to bring the show to a close right there. We do not deny any of the problems we have here on this show. We are very open about it. Or we edit. We edit them out and you never hear them again. I am so thrilled I brought the two of you together. Audience, you have no idea. This was, I think, about a year in the making of trying to get the two of you together to do this recording. So I'm thrilled that we actually were able to do it. And also, this was. Jesse had a little bit of a hiccup at work that made us change our last recording time. But it all worked out huge thanks to our sponsor, Doppel. Remember, they've got the platform that stops social engineering at scale. Go to their website, doppel.com defend what's real, disrupt what's not. Doppel.coM-O-P P E L.com go check them out. Let me ask both of you. I know Jesse. I mean, we've talked about this before. You're, like, always, you've got the most impressive funnel of talent. I think others would be extraordinarily jealous to see. By the way, just search Jesse's name on our site and find those episodes where we talk about it, because it's good. May I assume you're still looking for great cyber talent?

Jesse Whaley

Yes, absolutely. We're always on the hunt. And even if you're just breaking into cyber, check out our intern positions. We have a robust internship program and we get people trained and prepared to enter the work workforce, whether it's here at Amtrak or whether I kick him over to Vaughn because Vaughn needs some help.

David Spark

Has he kicked talent over to you? Vaughn?

Vaughn Hazen

Not that I'm aware of, but I'll take good talent any day.

David Spark

Vaughn, are you hiring yourself?

Vaughn Hazen

So we do hire. We typically hire for key roles. There's not generally a ton of openings because we have a great team and we have low turnover.

David Spark

Well, that's great. And I've heard also low turnover with Jesse as well. So obviously the two of you are doing something correctly. Vaughn, I'm assuming there's a job board over at CN ca.

Vaughn Hazen

Yes, absolutely. CN CA careers. Absolutely.

David Spark

Excellent. Well, thank you very much, Vaughn. Vaughn Hazen, who is the CISO over at cn, and also Jesse Whaley, who's the CISO over at Amtrak. And your audience. I'm sure you have a whole array of different titles. I can't announce every single one of them right now, but we appreciate you listening and contributing to the CISO Series.

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in Review this show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.