Don’t aim for perfect security, don’t trust systems, don’t trust people, and don’t rely on a single line of defense. Those might sound like “modern” cybersecurity principles, but they date back to a 1995 talk by cryptography pioneer Adi Shamir. The landscape is changing, but the fundamentals have been around for decades. Why are we still struggling to understand that?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Jesse Whaley, CISO, Amtrak. Joining us is our guests Vaughn Hazen, CISO, CN.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Doppel
Full Transcript
Intro
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Vaughn Hazen] The biggest mistake that I ever made was believing that all tools are the same. About 20 years ago, I was working with Qualys vulnerability scanners and our MSSP partner said, “Hey, we just penned a commercial deal with this new partner. It’s going to save you a ton of money.” So, we went ahead and took advantage of it.
That organization, which is no longer in business, had this unique aspect where they would scan adjacent IP addresses and we had specifically blocked out certain IP addresses not to scan because at that time the voice applications were transitioning from serial to TCP IP. And they were running over TCP IP, but they were really not ready for prime time.
So, if we scanned them, it created problems. Well, when this thing was scanning adjacent IP addresses, it shut down our call centers. So, yeah, that was probably the biggest mistake I’ve made.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. My co-host, a guest co-host for today’s episode, but you’ve heard him on this show many times before. It is the CISO for Amtrak, none other than Jesse Whaley. Jesse, say hello to the nice audience.
[Jesse Whaley] Hello, nice audience. It’s great to be back on the show as David’s co-host today. Thanks for having me, David.
[David Spark] We love having you on. In fact, I believe you were my guest co-host when we did a show in Tel Aviv like two years ago. That was a ton of fun.
[Jesse Whaley] Yes, we did. That was awesome.
[David Spark] We’re available over at CISOseries.com, and our sponsor for today’s episode is Doppel. Defend what’s real, disrupt what’s not. A purpose-built platform that stops social engineering at scale, powered by adaptive AI and human expertise. That’s Doppel. More about that later in the show. Jesse, this episode is dropping in May, which will be after RSA.
You will be going. Now, we can’t talk about how we enjoyed RSA, but let me ask you, what do you do to prepare to go to RSA? And what is a successful RSA for you?
[Jesse Whaley] So, I always have to go to RSA with a plan, and I think we may have talked about this before because if you don’t go there with a plan, all you’ll leave there with is a hangover because of all the parties and dinners and everything else that goes on at RSA. So, typically my plan is pick a couple of the big talks that I want to listen to, to see what some of the other strategic thought leaders are thinking around the country and around the globe.
This year I do have a couple of folks on my staff speaking, so of course I’ll go support them and cheer them on as they’re on the RSA stage. I typically participate in the Night Dragon Innovation Summit, which is adjacent to the RSA Summit. But a lot of my time is actually spent meeting with various industry colleagues and vendors and taking advantage of all the people being in one location.
[David Spark] Yeah, that is the key thing. Essentially the gravity that this event creates of bringing people together is really its greatest power. In fact, I’m going to actually bring our guest in now because it’s kind of a big deal that this guest is on today. This has been a long time coming because you are the CISO of the rail company for the entire United States, and we also have the CISO for the rail company of the entire country of Canada, none other than Vaughn Hazen, CISO for CN.
Vaughn, thank you for joining us today.
[Vaughn Hazen] Thanks, David. Good to be here.
[David Spark] Are you going to be going to RSA this year?
[Vaughn Hazen] I usually go to RSA because of the Executive Security Action Forum that I take part in. Yeah, I’m usually there.
[David Spark] And let me ask you, is your plan in any way different than what Jesse described?
[Vaughn Hazen] Yeah, except I won’t have the hangover. I never drank.
[David Spark] [Laughter]
[Vaughn Hazen] Well, I’m not looking for that either. But it’s just sound advice. Come up with a plan other than to…
[David Spark] Other than a hangover. Don’t have that as your plan.
[Jesse Whaley] Absolutely.
Didn’t we solve this already?
4:16.170
[David Spark] “People in cybersecurity assume that every challenge our industry is experiencing today is new and has never been faced by those in other fields.” This trend was noted recently in a blog by Ross Haleliuk. Now, while threats might be new, the underlying principles of sound cybersecurity seem to have stood the test of time.
He points to a 1995 talk by Adi Shamir, one of the developers of the RSA cryptosystem, that laid out the 10 commandments of commercial cybersecurity. They all sound remarkably relevant, like don’t aim for perfect security, don’t trust systems, don’t trust people, and don’t rely on a single line of defense.
Sounds a lot like defense in depth and zero trust to me. So, I’m going to start with you, Jesse, on this. Do Adi’s 10 commandments hold up or has the cybersecurity landscape shifted enough that we do need to work from different foundational principles?
[Jesse Whaley] Well, David, I mean, I do think Adi’s commandments do hold up. I mean, the basic fundamental sound practices of cybersecurity still hold true, regardless of how the environment evolves around us. How we respond to those may change over time, but all companies need to have basic and good cyber hygiene practices.
And we’re talking about patching their systems and keeping up to date, changing passwords frequently, having the right password combinations as defined by a governing body like NIST today, multi-factor authentication, reducing your attack surface, reducing the amount of systems that you have connected to the internet, and kind of all of those, and understanding where your assets are and managing vulnerabilities within those assets are sound principles that I don’t think are going to change regardless of AI or the next big thing.
I think a lot of cybersecurity to me revolves around the data. What do the threat actors want? They want data or they want to disrupt your operations. So, having good governance around data and data security hold up for protecting against new technology that you introduce to your environment, like generative AI, large language models, and things like that.
[David Spark] So, I throw this to you, Vaughn. I mean, this talk was 30 years ago, and yet we talk about principles like zero trust and defense in depth, not so much as new, but zero trust is seen as “new,” but really this is nothing new. It’s just new labels, if you will. In 30 years, or I don’t know how many years you’ve been in cybersecurity yourself, Vaughn, have your principles in cybersecurity changed or shifted in any way?
And it very possibly could have, just wondering. Like what has evolved, if anything? Again, principle-wise. The way we secure definitely has evolved.
[Vaughn Hazen] Yeah, exactly. Well, I think what’s interesting is you had this one that was about 30 years ago, and about a few years after that, you had the 10 immutable laws of security that were delivered by Microsoft, and both of them hold up very well today. There’s a few changes but, I mean, the idea is of, hey, if I can persuade you to run code on your computer, it’s not your computer anymore.
If I can alter the operating system, it’s not your computer anymore. If I have unrestricted physical access to your computer, it’s not your computer anymore. Weak passwords trumping strong security. All of these things are really basic principles that hold up over time. We may use different tooling in the cloud.
Things are a little bit different, but when you hear concepts like, well, identity’s the new perimeter and things like that, it underlies that weakness of you cannot depend on a single layer to really solve all your security problems. And so, when we have people bring up thoughts like that, you really have to challenge that and say, “Okay, yeah, but what happens when…?” and really ask those questions.
We talked about my worst mistake. I do remember when I was talking to the founder of Ubizen, and this was 20-some years ago, and he was all excited saying, “Yeah, you know what? I’m telling people that we’re only looking at layer three and above. That’s where security’s at. We’re going to be going there.” And I said, “Well, what about DDoS attacks and things like that?”
[Laughter]
[Vaughn Hazen] You could see that he didn’t really think about that. And that’s the thing is security’s complicated, and when you try to simplify it down to a one liner or one layer, it’s not going to function.
We’ve got both types of issues – compliance and regulation.
8:58.163
[David Spark] As of this recording, the TSA has just closed the request for comment period on its proposed rules that could shift cybersecurity directives impacting the rail industry into formal regulations. Now, these could potentially require rail operations to designate security coordinators and set a 24-hour reporting window for incidents.
The TSA has been iterating on its cybersecurity directive since 2021, starting out fairly prescriptive and rigid, but in subsequent directives, focusing more on outcome-based structure. So, I’m going to start with you, Vaughn, on this. What’s been your involvement in these directives and regulations, just give us a general background, and what would make your job easier?
And do the two of you talk about these things? Like, this very issue? Because, I mean, I got to assume that your problems are kind of somewhat a mirror of Jesse’s problems. Yes?
[Vaughn Hazen] So, let me start out by saying we welcome constructive collaboration and combating nation-state attacks on critical infrastructure. We don’t have the intelligence apparatus of the federal government, but I will challenge the assertion that the directives have become more outcome focused.
We’ve had challenges with the consistent approaches or the level of qualification of the field cyber experts that have been fielded by the TSA. And so, we had some really serious discussions with them on math. They wanted to have basically over a three-year period all of your security controls to be tested.
And we came up with a strategy of saying, okay, we’re going to take all of our critical cyber systems and do all the controls for each of a third of those systems on one year. And so, by the end of three years, we would have done all of them. They came back and said, “Oh, well, that doesn’t meet with the requirements.” And we were arguing over math.
This is the kind of challenge that we’ve had with a lack of understanding. We’ve even asked them, “Well, why are you promoting encryption?” And they’ve made statements, “Well, you have passengers, right?” And we have to tell them, “No, we’re actually a freight railroad.” Jesse does have passengers. We’re carrying freight.
They really don’t understand the objectives of what they’re trying to do. And when you say, “Oh, well, they’re more outcome focused,” well, then why are they insisting on declaring they get to decide what our critical cyber systems are, if it’s really outcome focused?
Then you look at the notice of proposed rulemaking. They’re requiring US citizenship for those cybersecurity coordinators. Now, my team is primarily based out of Canada, and they’re primarily Canadians. I happen to be a US citizen. I have been working as the cybersecurity coordinator for the security directives.
But when they’re asking to have somebody available 24 by 7, I don’t want to be that guy. We’ve got a security operations center. Why can’t they go to our security operations center that does operate 24 by 7? Tell me who the TSA is bringing up and saying, “This is our contact for you 24 by 7.” They don’t have one.
This is not fair the way that they’re trying to drive that. And they’ve also put in this notice of proposed rulemaking to remove the right to challenge in court the kinds of things they’re doing. And basically, they’re going to make it to where we really don’t have any way to give them feedback that they will pay attention to, which we’ve seen over and over through the security directives.
Again, we welcome constructive collaboration, but that’s not what we’ve been seeing over the past several years as we’ve tried to fight through these security directives.
[David Spark] Ah, all right. Very much understand. Jesse, I throw this to you. What has been your experience? I mean, have you talked with Vaughn about the frustrations?
[Jesse Whaley] So, I’ll start with we both participate in the Association of American Railroads Rail Information Security Committee, which is all the big freight rails, plus Amtrak, plus commuter rail, kind of representing the broader rail community in the United States. So, we’ve collaborated extensively as a group.
And while I think there are some challenges that Vaughn has had, I’ve had different challenges. I haven’t had some of the same challenges that he has. And there’s also another group that we participate with, it’s called the North American Transportation Security Consortium, which is basically all of the passenger transportation companies in America.
They come together and they discuss things like the security directives. I do think where there was discussion around the security directors being more prescriptive at first, I think that was true for the pipelines. They were kind of the first to go through this. And we collaborated very closely with TSA saying that, “Well, that doesn’t make sense for rail.” And so, the initial ones were actually quite simple, in my opinion.
So, there’s the point cybersecurity coordinators to collaborate TSA and CISA on cybersecurity matters. It was fine for me. I have mostly US citizens on my staff. There’s four layers deep. Although I would much prefer that we can just provide the phone number for a 24 by 7 operation center and have them call that, but no, they want a person to talk to on a 24 by 7 basis.
The second thing in the initial set of security directives that we were required to do is have a cyber incident response plan. Seems like a good thing to do anyways, and all companies should have a cyber incident response plan.
The third thing was to complete a vulnerability assessment and submit that to TSA so that they could see what your vulnerabilities are. Also a good thing to do; however, TSA wanted us to use their template to do our vulnerability assessment. And then when we initially submitted the vulnerability assessment, their website wasn’t ready to receive it.
It didn’t have SSL TLS certificates. In fact, our internal security controls rejected us from connecting to the site to be able to upload it. So that was interesting. But we worked with them, and they got it fixed right away. And the fourth thing was to report all critical cyber incidents to CISA. We’ve been reporting as required, but we really haven’t seen the benefits of that reporting.
What’s the benefits to the broader industry, the broader community? So, those were the original security directives that were issued and continue to be reissued, and you’ll find them in the notice of proposed rulemaking.
What’s additional that’s come later with the security directives is to have a cybersecurity implementation plan. The first step of that cybersecurity implementation plan is to identify your critical cyber assets for your company. That has been a little bit of a challenge because what I view as my critical cyber assets are not necessarily what Vaughn views as his critical cyber assets.
So, when I have a system that I have on my list, Vaughn has that same system, but it’s not on his list because it’s not critical through his business operations. Then there’s a clear misunderstanding kind of at the TSA policy level. So, we’ve had some struggles kind of working through those differences and nuances throughout the rail industry.
Sponsor – Doppel
16:16.404
[David Spark] Before I go on any further, I do want to tell you about our brand-new sponsor and that’s Doppel. Doppel is the first social engineering defense platform purpose-built to dismantle impersonation threats before they cause harm. Now while legacy tools focus on detection and alerting, Doppel goes further using AI and infrastructure correlation to link phishing emails, fake demands, deep fakes, and impersonation campaigns across channels.
From executive protection to brand impersonation takedowns, Doppel doesn’t just flag threats, it disrupts them at the source. Every attack fuels their shared threat grid, giving every customer the benefit of collective intelligence. The result – faster disruption, stronger resilience, and fewer opportunities for adversaries to profit.
Doppel makes digital deception unprofitable, protecting your people, your reputation, and your revenue in a world where social engineering is now the biggest threat to enterprise security. For more, you got to go to their website. That’s doppel.com.
It’s time to play “What’s Worse?”
17:31.132
[David Spark] All right, Vaughn, I’m sure you know how to play this game, right? Two horrible situations. You have to pick which one’s worse. I will make Jesse answer first and then you have to decide if you agree or disagree. Now, we have had a variation of this very scenario in the past, so it’s a little bit of a rerun before, but I thought it’s time to bring it back to new guests, so we’re going to address this one again.
It’s come from Edward Frye of Luminary Cloud, and Jesse, this is for you. You start a new role and you’re excited for the company. When you get there, you find out that it is a clean slate with no existing tools or staff. What’s worse, you’re allowed to purchase many tools, but you’re unable to hire any staff nor contractors – so that’s scenario number one – all the tools you want, but no staff or contractors, or you can hire a team of four or five staff, but you’re not allowed to purchase any tools or services.
Which one’s worse?
[Jesse Whaley] Ooh. So, on one hand, you can buy all the tools that you want, you can deploy all the technology that you want, but you don’t have any staff to manage those things or to even monitor any of the alerts that come in.
[David Spark] Why have tools at this point, right?
[Jesse Whaley] Why have tools if you don’t have anybody to use them.
[David Spark] Right.
[Jesse Whaley] And the second scenario would be we could hire people, but there’s no tools for them to use.
[David Spark] Although you could go open source here, and we’ve had discussion.
[Jesse Whaley] We could go open source.
[David Spark] Yeah.
[Jesse Whaley] So, in this scenario, I mean, what’s worse is being able to buy a bunch of tools that will never get used because you don’t have the staff to use it.
[David Spark] Mm-hmm.
[Jesse Whaley] And the other one is better, having people, because you can just hire the right people that know how to work with open-source tools and could develop the tools that are needed. So, assuming we can hire the right people, second scenario is definitely better.
[David Spark] Yes. I’m feeling that’s the case. Vaughn, are you agreeing or disagreeing at this point?
[Vaughn Hazen] Yeah. So, I’m going to agree. And the thing is, is people make the difference.
[David Spark] Yes.
[Vaughn Hazen] The reality is, even if you bought all brand-new tools and they were all great, the reality is in a short period of time, they’ll be outdated. Even if you had AI running them, they’re going to be outdated and they’re not going to function anymore. The reality is, is people make the difference and that’s a no-brainer.
[David Spark] Yeah. This is a reasonably easy one because if there was a world of no open source, then this would be maybe a little more difficult, but being that there’s a world of open source, this makes this an easier decision, doesn’t it?
[Jesse Whaley] And I’d say even if we didn’t get to use open source in that scenario, we’d hire developers to develop things in-house.
[David Spark] Yeah. Okay. There you go. Good point. So, you’d always lean on humans.
[Jesse Whaley] Absolutely.
[David Spark] Rather than having the machines take over, as Vaughn had pointed out. Even if AI took over, it wouldn’t work.
What about this AI security challenge?
20:43.255
[David Spark] It’s hard to find a vendor who isn’t quick to tell you how AI will transform some aspect of cybersecurity. But where is the data to back that up? “Prove it with data,” was a challenge posed by Christofer Hoff, who’s the CSO and CTO at LastPass. Now, he argued that when you look at the data for what these AI tools can do, what you’re left with is a single digit percentage change in operations.
So, let me throw it to you guys. Are you seeing AI transform cyber? Because this is definitely… I guess we would all like it and the vendors would like this too. And I’ll start with you, Jesse. What data are you using when evaluating these tools? So, are you seeing any true significant transformation through AI?
[Jesse Whaley] I think it depends on what type of AI we’re talking about. I mean, I assume we’re talking about generative AI because that’s the hot buzzword of the day.
[David Spark] Sure.
[Jesse Whaley] I mean, so far, let’s say on the defensive side of things, not seeing a whole lot of fresh value from AI just yet. I think there are lots of companies developing in this space and certainly we have some things that we’re trying out, but it’s not saving the day yet. Where I’m seeing more, I think, generative AI used is on the offensive side of things where we’ve got threat actors crafting perfect phishing emails now, right?
And a lot of the red flags that we had our employees looking for before just aren’t there because the generative AI is developing new social engineering materials for the threat actors. Back on the side of the data, the things that we want to know, most of our cybersecurity questions that we have are cybersecurity challenges.
We can understand those challenges. We can answer those questions with data. So, data is very important to us. And so, that’s where I see the value starting to grow is being able to quickly answer those security questions in normal English language prompts and getting an answer back that is in almost executive summary format.
[David Spark] Okay. Vaughn, I throw this to you. Are you seeing, and literally answer it any way you want, any significant impact with AI in any manner? And if not now, like how are you measuring to try to see that it is?
[Vaughn Hazen] Yeah. So, look, we’ve had machine learning and anti-malware and all that for a long time. And it has been effective. It’s taken away from the old approach of using signature-based antivirus and all that garbage that just couldn’t keep up. So, we’ve seen some benefits of subsets of AI already for a long time.
I agree with what Jesse has said. You see things like Microsoft’s security copilot, where you can go in and ask questions and query, and they’re using the AI to pull all that reporting information and give you a summary of data so that you can really investigate a lot faster. And it’s about building efficiency in the way that your team works.
And so, I think there’s value there, but to take advantage of that value, you really have to have like an all-Microsoft solution set up to get the best benefit out of that, and most organizations are not set up that way.
Unexpected outcomes or failures?
24:11.356
[David Spark] “Security tools are part of your software supply chain and can introduce risks just like anything else. They often do with damning impacts.” A review of CISA’s Top Routinely Exploited Vulnerabilities often features security products, noted Chris Hughes of Aquia in a recent blog post. You pick the big vendor, and they are likely accounted for.
And despite this, security incidents from vendors often don’t seem to move the needle with market share or the company’s bottom line. We actually saw this with the Verizon data breach investigation report as well. Are we adequately accounting for our own security tools as part of our attack surface, especially when they almost all run with elevated privileges?
Key to note. I’ll start with you, Vaughn. And should this impact how we think about who we buy from? So, I mean, let me ask you, when a tool fails in some massive breach, does that calculate into your purchasing decisions?
[Vaughn Hazen] So, I think that the reality is, is you’ve got to appreciate that every single thing that you add into your environment increases your attack surface. That’s the reality because…
[David Spark] Good point.
[Vaughn Hazen] …all software is vulnerable, every single thing. And so, when you see organizations that have multiple tools that do the same thing, you’re basically just looking at an enhanced attack surface. So, we try to limit our tools. We do a lot of rationalization on our security landscape. But the fact of the matter is, as we talked earlier about the need to go back to principles that apply the 10 laws and all that kind of thing, and you still have to have a layered security, you cannot depend on a single solution to solve all your problems.
But that doesn’t mean that you buy a plethora of point solutions and increase that attack surface. So, you reduce the number, you get tools that have less of an overlap but are complementary in terms of the protection that they provide, and you constantly maintain them so that you don’t have anything that has a known vulnerability that you’re not addressing.
That’s the basics of it. And that’s the reality. You’re going to see vulnerabilities in every single software that you deploy.
[David Spark] So, you treat security tools no different than any other software in your environment?
[Vaughn Hazen] In terms of the risk that they are to the environment, absolutely.
[David Spark] All right. Jesse, you’re nodding your head.
[Jesse Whaley] Yeah, I absolutely agree with that, David.
[David Spark] So, lean into that a little more and then tell me, I mean, does the history of a tool affect your purchasing decision? How it sort of reacts in the environment, the stories you hear about? Because we hear this “tools that everybody relies on get hacked.” Does that affect your decision making?
[Jesse Whaley] Oh, it absolutely does affect my decision making. So, I mean, we do have a supply chain risk management program at Amtrak, and some of those things or items are what we vet to new vendors on before we even go to commercial negotiation with the vendor. Like if they’ve had a breach, we want to talk about it.
If they’ve failed an audit or have some compliance issues, we want to talk about it. So, I think every company, mature company, or a company that’s maturing should have a patch management, vulnerability management policy, configuration management policy, disaster recovery plans, resiliency strategy, things like that.
And all software kind of falls into that in some way. Obviously, some are more critical than others, but even if your non-critical software can still pose a risk to the environment. So, when we’re reporting risk and vulnerabilities to the executive teams that can go out and fix things, issues that we find in our environment, well, we’re reporting on security tools as well.
So, I might have a list of things that I’m responsible for going to fix in any given risk review cycle.
[David Spark] Let me ask both of you because you made a comment, and I’ll start with you, Jesse, and we’ll go to you, Vaughn, as well. So, big security tool X has a very bad public situation. You do want to talk to them about it. What is a good response of how they’re dealing with it, and what’s a bad response?
And have you heard both? So, give me an example – good to respond this way, not good to respond that way. Jesse?
[Jesse Whaley] So, a bad response is really they either do nothing, or there is no public outreach, there is no outreach to their customers saying, “Hey, we had this problem. This is how you need to fix it.” So, no communication at all is probably the worst that we can see. On the good side, it’s really just increased communications with their customers that’s starting with sending emails or texts to their contacts at the company, letting them know that we had a problem.
Following up with an email, with a memo say, “Hey, we had this problem. We’re going to set up a call to talk you through it.” And then it’s almost face-to-face conversations with their executive leadership, with their CTO, CEO, their CISO, and discussing the challenges and getting advice from them on how we can fix whatever challenge they may have caused in our environment.
[David Spark] All right, Vaughn, anything to add to that of what has been a good/bad response?
[Vaughn Hazen] Yeah, so I’ll add to the bad response. When an organization tries to shut down those who are drawing attention to a problem that’s there, they make threats and otherwise try to shut down those researchers or whoever it is.
[David Spark] Yeah, we’ve seen this happen before.
[Vaughn Hazen] Yeah. Or if they deny and say, “Oh, well, it’s not really a vulnerability. It’s working as designed.” If they don’t accept that they may have an impact in our environment, I think that’s a problem. And certainly, a poor response to that because they’re more concerned about their liability, that they may be held accountable for the impact that they’re having in our environment, rather than worrying about how they help us get to where we need to be to secure our environments and be resilient against the attacks.
And I agree with Jesse. When they make the outreach, when they communicate clearly, when they take responsibility, and they work to clean it up as quickly as possible. Sometimes they may adjust and fix it before they make everybody aware of it because they don’t want to make it visible that there’s a problem before they can fix it, I understand that.
But when they deny and they don’t work to clean it up, that’s a problem.
[David Spark] Well, excellent.
Closing
30:57.335
[David Spark] We’re going to bring the show to a close right there. We do not deny any of the problems we have here on this show. We are very open about it, or we edit them out and you never hear them again.
[Laughter]
[David Spark] I’m so thrilled I brought the two of you together. Audience, you have no idea. This was, I think, about a year in the making of trying to get the two of you together to do this recording. So, I’m thrilled that we actually were able to do it. And also, Jesse had a little bit of a hiccup at work that made us change our last recording time, but it all worked out.
Huge thanks to our sponsor, Doppel. Remember, they’ve got the platform that stops social engineering at scale. Go to their website, doppel.com, defend what’s real, disrupt what’s not, doppel.com. Go check them out. Let me ask both of you. I know, Jesse, I mean, we’ve talked about this before. You’re, like, always hiring.
You’ve got the most impressive funnel of talent. I think others would be extraordinarily jealous to see. By the way, just search Jesse’s name on our site and find those episodes where we talk about it because it’s good. May I assume you’re still looking for great cyber talent, yes?
[Jesse Whaley] Absolutely. We’re always on the hunt. And even if you’re just breaking into cyber, check out our intern positions. We have a robust internship program, and we get people trained and prepared to enter the workforce, whether it’s here at Amtrak or whether I kick them over to Vaughn because Vaughn needs some help.
[David Spark] Ah! Has he kicked talent over to you, Vaughn?
[Vaughn Hazen] [Laughter] Not that I’m aware of, but I’ll take good talent any day.
[David Spark] Vaughn, are you hiring yourself?
[Vaughn Hazen] So, we do hire. We typically hire for key roles. There’s not generally a ton of openings because we have a great team and we have low turnover.
[David Spark] Well, that’s great. And I’ve heard also low turnover with Jesse as well. So, obviously the two of you are doing something correctly. Vaughn, I’m assuming there’s a job board over at cn.ca, yes?
[Vaughn Hazen] Absolutely, cn.ca/careers. Absolutely.
[David Spark] Excellent. Well, thank you very much, Vaughn. Vaughn Hazen, who is the CISO over at CN, and also Jesse Whaley, who’s the CISO over at Amtrak. And you, our audience, I’m sure you have a whole array of different titles. I can’t announce every single one of them right now, but we appreciate you listening and contributing to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.