back arrow
Back to Resources

Bridging Expertise: From IT Foundations to OT Triumphs in Rail Cybersecurity | Mark Johnston | S2E8

In this episode of Secure Tracks, join us as we explore the intricate world of rail cybersecurity with insights from Greg Adamson, CISO at the Department of Transport and Planning in Victoria, Australia.

In this episode of Secure Tracks, Miki Shifman delves into bridging knowledge between IT and OT in transit cybersecurity with Mark Johnston, CISO of TriMet. Mark Johnston shares his enlightening journey from a seasoned IT security career to leading OT security initiatives at TriMet. Discover the challenges, innovations, and triumphs involved in integrating these critical technologies to enhance the safety and reliability of public transit systems.

About our guest:

Mark Johnston is the CISO at TriMet, where he plays a pivotal role in safeguarding the transit agency’s information and operational technologies. With a distinguished background in public sector cybersecurity, including roles as the Director of Cybersecurity for the State of Oregon and Information Security Officer at the Oregon Health Authority, Mark brings a wealth of experience to the rail industry. His career transition from IT to OT security highlights his dedication to addressing the unique cybersecurity needs of transportation infrastructure. Mark's leadership and forward-thinking approach are instrumental in advancing TriMet’s cybersecurity initiatives and promoting a safer transit environment.


Miki Shifman: Hi, I'm Miki Shifman and this is the second season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're thrilled to have Mark Johnston of Trimet with us. Mark has a distinguished background in public sector cybersecurity. He has served as the director of cybersecurity for the state of Oregon and information security officer at the Oregon Health Authority. Before taking on his current role as CISO at TriMet. This marks his first venture into the rail industry, where he's been since July 2022. Mark is passionate about bringing IT cybersecurity professionals into critical infrastructure, particularly transit, to address the great need for cybersecurity expertise. Mark, welcome to the show and thank you for joining us today.

Mark Johnston: Hello, Miki, and thanks for having me.

Miki Shifman: Great. Good to have you here. Mark. We always want to start with something personal. Can you tell us how you got into cybersecurity and more recently, how you got involved in the rail industry? Was there anyone or anything that persuaded to make the jump?

Mark Johnston: Yeah, absolutely. So the majority of my career was spent in the private sector, actually, with a large part of that in supportive services related to the federal government, specifically student loans. That work dated back to a time before FISMA, which is the federal Information Security Modernization act. And for those not familiar with FISMA, it's the US legislation that defines a framework of guidelines and security standards to protect government information and its operations. And it came to be in about 2002. So FISMA emphasized a risk based policy for effective security. And while I say that I was doing cybersecurity work before then, FISMA marked a point for me where it became more of a focus outside of just doing the right things, if you will. So most of your listeners are probably likely more familiar with NIST than fisma. But that relationship is important, as FISMA drove a lot of what the NIST standards are today. In short, NIST provides the security controls and the guidelines, while FISMA enforces the controls by mandating federal agencies to develop and implement strong security programs. Examples of those programs that people are familiar with are like PUB 1075 for tax information, CJIS for FBI criminal justice information, and MARS-E  the minimum acceptable risk standard for exchanges from the Department of Health and Human Resources that related to the healthcare exchanges that were rolled out many years ago. And when I shifted to the public sector, my initial focus was on cybersecurity-related to Oregon's healthcare exchange. And I felt really good about working in public sector. And actually, I remember I wished I'd made that my focus early in my career. I enjoy the public good aspect of going to work every day, and what that meant to me was important. And then after about six years with the state of Oregon, a former colleague reached out to me about coming to TriMet, and I said I was not interested. And while critical infrastructure intrigued me, I was extremely happy in my role as the Director of Cybersecurity and running the security operations at the state of Oregon. Somehow I agreed to the conversation and entered the hiring process to continue that dialogue. And by the second interview, I was excited about the opportunity to join what I saw as a great organization where I could make a difference in critical infrastructure in an environment that was ready for that type of growth. Now, besides a person who asked me to come to TriMet, I reached out to the man I worked for when I first came to the state of Oregon, someone whose opinion I respect greatly. And through a dialogue with him, he also encouraged me to take the step. And here I am, and I couldn't be happier.

Miki Shifman: That's awesome. It's quite diverse, and being in all of those organizations probably quite give you the sort of experience that you need. So I assume that joining into the rail industry, like something has been different about it. So can you maybe tell the audience more about the differences between how you perceive the rail industry versus the previous roles that you had, the government and healthcare?

Mark Johnston: Absolutely, Miki So the obvious difference centers on operational technology, or OT, right, versus my focus at that point, which was information technology or IT. For a long time, we referred to ourselves as information security professionals. Even. It was all about the information. And while that changed some time ago with my move to TriMet, I experienced a paradigm shift, if you will, from the well-known CIA triad of confidentiality, integrity, and availability that applies to it to one of safety, availability, integrity, and confidentiality. For OT. OT, security objectives typically prioritize integrity and availability, followed by confidentiality, but also must consider safety as that overarching priority. Safety is number one. IT security is crucial in every organization, even transit right, in order to keep its data secure and under control. But in OT, the safety and availability of equipment and processes dominate. And for me, in my current role, that includes systems that are required for like signals, track, power, tunnel ventilation, as a few examples. So before I made the transition, I did homework to better understand what I was getting into. One of the things I read was the five ICS Cybersecurity Critical Controls white paper by Rob Lee and Tim Conway. While they touched on technology-focused differences. They boiled down, the big difference between IT and OT is the mission or business purpose of the systems. As a generalization, IT is focused on how you manage the business, while OT is focused on why you are a business. Right. The mission or purpose of those systems dictates what's required of them and what the risks and threats are to those systems. That really resonated with me because I've always strived to be about enabling the business I serve to do the work that they do at a reduced risk. And this new environment that also creates a great weight as we consider the services we're securing. It's called critical infrastructure for reason. And while IT incidents are more frequent, OT incidents are more destructive. And Trimet can provide services without email and other enterprise IT systems and capabilities. But if signaling or tunnel ventilation systems are impacted, that's going to be a different story.

Miki Shifman: Gotcha. Yeah, that's the transition between IT and OT, I guess, is like the biggest when you're moved between those type of organizations. And I guess the priorities shift is just as you said. And, like, if you look at your journey within TriMet, when was the moment that you told yourself, I'm on the right path here, I'm on the right track, as we say in the rail industry. Like, what was the moment of realization over there?

Mark Johnston: Yeah, so, um. That's a great question. So while I felt that way, by the time I made the decision to make the move to TriMet, I believe the confirmation for me came in that a transportation cybersecurity consortium meeting that I attended at MTA a few months after I started. So let me back up and say that when I came in, I definitely felt out of my comfort zone. While I was comfortable establishing maintaining cybersecurity programs in an IT world, OT is different. Right. And the building blocks exist in IT that aren't necessarily there in OT. IT people get it, right. It's basic cyber hygiene doing the right thing. By comparison, engineers and others in the OT world are less familiar with the building blocks of essential cyber hygiene. And actually, some would argue that essential cyber hygiene and OT is different in and of itself. That's subject to a debate. I have a good example for you. So, I started talking about this meeting at MTA. MTA out of New York is the friendliest 800-pound gorilla. Tariq Habib is their CISO, and Tariq has organized a large group of agencies that meet virtually throughout the year and come together once a year. And it's known as the North American Critical Infrastructure, Transportation Cybersecurity Consortium. Quite a mouthful. Those face to face meetings include agency cybersecurity practitioners, OT operations folks, and larger OT vendors. It's a chance for us to collectively get aligned and work together to improve the cybersecurity posture of the industry. Now, I attended my first one of these meetings in the fall of 2022, about three months after taking my role at TriMet. And one of the most telling things for me happened at the end of the conference when people were giving general feedback, right? And at that point, an OT engineer from MTA stood up and said, if we're going to get better, we all need to speak the same language. He said, we heard about the hardening system was over the last three days. Hardening systems is something very different to him than the context in which he heard it being used. So the most significant shift for me was the approach to align resources to effectively move the organization forward with the risk associated with those needs. So it was wonderful. And you talked about, how did I know I was on track? I went to that meeting at MTA, and I got to hear firsthand about the cybersecurity needs in transit. And more importantly, I was able to understand the commitment with the transit community to solve the problems that involved perspectives from our federal partners, such as the FTA, the Federal Railroad Administration, Department of Homeland Security and their agencies, TSA, CISA, the Cybersecurity Infrastructure Security Agency, and the like, all with a unified voice in regards to the deficiencies in the industry around cybersecurity and the need for us to all work together to get on the correct path quickly. And I heard from other cybersecurity practitioners in transit working toward the same goal without a sole driver from federal mandates. This wasn't like, hey, we've got to do this because the government said, we have to. It's the right thing, and people were on that path, so these people get it. And I knew it was part of a community that would enable me to be successful at TriMet. And then the other thing I'd add is that gave me that comfort and knew I was on the right track is I had the added confirmation of realization when I met with TriMet COO Bonnie Todd. TriMet has really smart leadership, and I was glad to hear that Bonnie knew Trimet, like all transit agencies, needed to do better when it came to cybersecurity and OT, and she was committed to making that happen. And I feel held accountable for this important work, and that excites me.

Miki Shifman: Wow, like, it looks like it's a lot about building bridges, isn't it? Like, it's building the bridges with the other transit authorities in the same boat and building bridges with the operations people. That's what we frequently hear from that type of agency, is that that's the only way you can improve, really? Like, having the right people. Yeah. That's awesome. And, like, what resources have you used in order to improve your knowledge of OT? So, you mentioned the five critical controls on OT security. What others have you used to improve? I guess those resources should be useful to anyone who's making this move from it to OT.

Mark Johnston: Yeah, great question. So, I knew at the highest level, I knew I wanted to engage TriMet senior leadership in the management of cyber risk, and I wanted to do that holistically. Right. That being risk consideration for it and OT collectively, that meant I needed to understand how to bring them together in an understandable fashion under that single umbrella. So the biggest boost for me in that regard actually came from an APTA webinar I attended 30 days into my new role. The webinar was about implementing the operational technology cybersecurity framework, or OTCMF. OTCMF is a maturity model developed by the APTA Control and Communications Cybersecurity Working Group and was specifically designed to assist transit agencies in improving cybersecurity risk posture for their OT environments. And while I'm only starting to delve into the value of that standard itself for TriMet today, this webinar made me aware of the NIST Special Publication 882 R3, which is the guide to operational technology security, and more specifically, the associated overlay that provides guidance on the specific controls that apply to operational technologies, as well as recommendations about how to tailor to special publication 853, security controls for an OT system. Okay, that's a mouthful there, right? But for me, that was like, boom, a light bulb moment for me, because this was extremely helpful in aligning it and OT from a cybersecurity program perspective, understanding that special publication related to OT security and overlaying it to 853, which I was working with for over for a couple decades, since its inception, actually. So getting those two aligned, it was great for in this new environment and leveraging the experience I already have now, I apologize for those that are not NIST wonks, but my point is really more about, you know, leveraging, building on your strengths and not focusing on gaps or weaknesses when you build a cybersecurity program. You don't want to go in where you've got no strong foundation and build something because it'll end up being shaky. So that was. That was one thing that really excited me and aligned really well, Miki.

Miki Shifman: Yeah, it's a big shout out to Michael Echols and the rest of the APTA CCSWG working group for building those standards, because this is like an important bridge or, like, important way for it professionals moving into OT, when you start putting those building blocks together and putting the right translations in the right locations, because these are like, the challenges that each of us faces in a day to day basis.

Mark Johnston: Spot on.

Miki Shifman: And if we get back to your early days in OT, what would be a transformative challenge that you had something that turned into a learning opportunity for you?

Mark Johnston: All right, so this could almost be an answer to the previous question as well. Something in terms of something I wish I knew early on, something simple but very important. I wanted to get exposed right away to the specific OT in my environment. So I met with different folks that I believed were the key players in our OT environments that could help me understand what I was dealing with. In hindsight, I was already applying it cybersecurity knowledge to the OT environment that I was hearing about. Despite knowing better, not the right thing to do. Old habits die hard. For example, while I was aware of the challenges and patching when it comes to OT, I was trying to work through the problem in a specific area when I was talking to an engineer without the larger context, in a more holistic prioritization. Right. I don't want to go in and direct people's attention to a certain place. I need to understand what the big picture is. And I also realized I lack some necessary common knowledge and language and the basics on which to build this important relationship. So, thankfully, I level set early, and I built up on my own and my team's basic knowledge of OT, leveraging SANS training. And I want to give a quick plug on federal partnerships. A specific benefit of one federal partnership is the ability to purchase SANS vouchers at about half price for SANS on-demand training. And that's through MS ISAC, the multistate information sharing and analysis center. So I leveraged that to provide ICS data security essentials training to me and my team, which proved to be invaluable in translating our current IT cybersecurity knowledge to OT. And that allowed me to be more intelligent and relevant in my questions and in assessing and understanding what we were working with. We'd also make the same training available to the folks on the OT side that were working with us if they desired, because then again, that would help create that common language for us to connect and build that relationship. So that common language again. And it comes back to relationships. Right, Miki? So there you go.

Miki Shifman: Yes, language. Our relationships are key, ac, and it's a good way to learn new language. Cool. All right, so now let's shift the topic a little bit. Let's do the reverse order. We started asking about the OT resources, and what would you recommend others learning about OT? But now let's maybe zoom in and double-click on the IT best practices that you brought with you from your previous experience, because I guess there's a lot to learn from that as well. And some of those are transferable definitely to the OT. So maybe you can share more about those IT best practices. I guess you touched on some of them with NIST, but you probably have others there that would be very relevant to everyone that hears us.

Mark Johnston: Yeah. Again, I like this question, Miki because I think it's always best to focus on strengths when building. Right. As I said before, that's a really important thing. I mentioned briefly about the importance of our senior executives to make decisions based on risk. And one of first things we put in place was a risk management program at TriMet that had a defined point for senior executive involvement. I'm building the expectation within the organization that my team will operate to maintain cybersecurity risk under a certain threshold. And when that cybersecurity risk rose above that threshold, TriMet executives would be aware and would be able to weigh in on the path forward and any necessary, what they call risk treatment options. Right. Avoidance, reduction, acceptance, those kinds of things. This is the same regardless as to whether the risk is IT and or OT related. I don't want to, again, have to have them change hats. When they view these different kinds of risks, they should be able to look at them collectively and holistically. So, for example, we completed a third party assessment of our cybersecurity for our light rail environment last year. So instead of giving these assessment results special treatment, they became part of that established cyber risk management program that's already established, and then it could be weighed globally. It's very important for the health and sanity of the organization that we can prioritize efforts in mitigation strategies based on the cyber risk. In the bigger picture, this is opposed to playing what I call cybersecurity. Whack a mole and queuing up new work as cyber risks come to light. Without regard to the bigger picture, we're just going to be whacking those things in a never ending way. So that risk management framework was really important, and it fits well. I also believe in leveraging and maintaining strong federal industry partnerships. For example, we just completed a CISA-led cybersecurity tabletop exercise this past week. It was a fantastic event that was well supported by TriMet as a whole. And because of the commitment to the process by the business, the resulting report will undoubtedly provide recommendations that are going to make our response capabilities even stronger. And like other identified risk reduction opportunities, they'll be considered in the bigger picture alongside all other cyber risks, and not just decided on singularly. And then we just have this shifting and this cybersecurity whack a mole going on. So.

Miki Shifman: That's cool. Actually, I'm interested in double-clicking on the cyber risk topic and asking whether you had an exchange with, let's say, safety engineers and comparing the risk that you identify in the system to what they identified before in their system. Did you have this type of conversation? Because from what I know, that's a big challenge for many of the operators, kind of understand how both parties, they look at the risk.

Mark Johnston: I think it's. Yes, and I think it's really interesting. I feel like you looked at my calendar. I actually have a meeting this afternoon to talk to somebody about. Hey, how can I better align the PT-RaM and the other safety and security risk assessments into that work that we do? I did attend both the, you know, we do rail and bus. Right, multimodal. And we had two separate PT-RaM sessions with the feds, and I attended them both. And we hit the cyber components there. And as a matter of fact, we kind of leveraged partially the cyber scenario they used in that one with the tabletop exercise that we did. And we spent a lot of time planning it, too, to make it very specific to TriMet. And that's one of the feedbacks we got. The one thing about, like, PT-RaM, when they cut when the feds come in, they know your transit, and they can be pretty cookie-cutter in their approach. Right. And how they do that. But when you go to tabletop exercise and you're going to involve executives and the business people and see how everybody interacts, you need it to be very relevant to your business. So we took the consideration from what we got from the. Those safety assessments, and then we brought the smart people in to help plan the events. Hey, what's feasible in these scenarios of what we want to do. And we laid something out and we worked with CISA. They were fantastic, by the way, to get something in place. And then I'll tell you right now, now I'll fast forward to the end. At the end of it, one of the feedback we got from one of the senior leaders was this really felt like it was relevant. They'd attended these kind of tabletops before, and it didn't always feel like it was, you know, it fit necessarily. And it just kind of felt cookie cutterish, just felt very specific to TriMet, and they embraced that. And it's because of that, we're going to go get, get so much more out of it, Mickey. And I love what you're saying, and, but I'm, I'm going to say this and I'm going to probably going to say it to myself. I need to commit to do better. And that's why I've got that meeting this afternoon. Right. How do I even better engage the safety and security folks? How do I better leverage OTCMF to give myself that modular view in terms of a self assessment as well that I can look at going forward? So, great question. Very relevant to me.

Miki Shifman: Yeah. Like, there's nothing better than aligning the cybersecurity objectives with the business objectives and the cybersecurity risk with the safety risk, because that's what powers the business. And it's definitely great to hear how mature you are in the perception of those topics. Cool. Now, after we discussed both the topics of OT security frameworks and IT security frameworks, can you maybe highlight the main high-level differences between those types of frameworks? What would you typically encounter in one that you wouldn't encounter in the other?

Mark Johnston: Yeah, that's. And I think we touched on a few of those. Absolutely. You know, we've got that common ground we talked about. Right. So I wanted that risk management framework. So obviously, the NIST special publications around risk management and guide for conducting risk assessments and frankly, the NIST cybersecurity framework. Right. All those are very relevant in putting that together. And then we've got things like OTCMF. I talked about, hey, we had a third party assessment done, part of the deliverables. I like to have a cross, a crosswalk done of the different standards. Right. What does this look like related to CSF, OTCMF and the CIS controls and those kinds of things? One thing I'll say is I try to limit my organization's direct exposure to the cybersecurity standards and frameworks we use to avoid confusion and overload. But there are standards that lend themselves well for such exposure. For example, that the Center for Internet Security Controls, formerly known as the Top 20 Security Controls, they have a great place in roadmaps and measurements because they represent maturity and best practices. Right. And they're proven to reduce cyber risk. They're also very measurable and mapped to most other standards. And even that the five ICS Cybersecurity Critical Controls white paper that I mentioned is very specific to OT that aligns to the CIS controls. Rob Lee and Tim said, hey, here's these five things. But if you look at it, it's a bunch of the different parts of the CIS controls. And I like that they try to make it simple. So if an OT practitioner was reading it, they'd understand these general categories. But from a cybersecurity program perspective, having things that people can understand, the OTCMF, right, from the app security workbooks. And Mike Echoles I'm glad you gave him a plug. I appreciate that man and the good work he's doing. Like I said before, I haven't fully embraced it directly. So that's one of those that came to mind when you said, hey, Mark, different standards. But while in the short term, I feel like I'm not missing anything because of that focus on that NIST 882 that I mentioned. But I believe OTCMF and its industry-specific roots make it a valuable part of our program going forward. And I want to have that year over year growth measured in that area versus just looking at everything holistically. Right. But how much will I expose OTCMF to the different folks within the organization? I'll probably introduce them to it at a higher level and say, this is give a report card at the senior executive level, and this is how we're doing, but then continue to run everything programmatically. But again, OTCMF, I guess, is one of those that I would call out. And of course, the NIST 882, is very different but very much part of our cybersecurity program plan, which is IT And OT both at TriMet.

Miki Shifman: Cool. And maybe about this OT CMF, are you able to share more about, like, what would be a good objective in terms of, like, the maturity level, or at least like the year over year growth that you would expect to have as part of the maturity level of your organization or any organization for that sense?

Mark Johnston: That's a great question. That would be something that I want to establish. And I did something similar with the CIS controls. Right. The center for Internet Security has driven by Department of Homeland Security, a self-assessment that you can do through MS ISAC, and Center for Nano Security every year. It's called the Nationwide Cybersecurity Review. The questions are based on NIST CSF, but they're designed for somebody to be able to do it even if they aren't a cybersecurity professional, which I love. Right. But they map to the different things. So bear with me for a moment and I'll get back to your very specific question about OTCMF. The beauty of NCSR is I can say, take that initial assessment and say, hey, this is where I'm at on the maturity level. This is what I'm going to be doing the next year and the year after that. And this is how I expect that to grow. And I set that expectation with my executive leadership, and I build that into plans and they're going to ask me at the end of the year, did we hit this mark? Did we hit this mark? And the most important thing I'll say is, you know, Miki is getting at a first baseline. You got to measure. You can't start right till you know where you're at. And to be honest, I mean, I know where I'm at with OT from my third party assessment and a couple other things. I don't know where I am holistically as it relates to OT CMF. That's part of what I want to be asking on the call I'm having later today. Hey, how do I get where I need to be to have that initial baseline assessment, right, so then I can set those expectations. I know what I plan to get done over the next year, and then the following year I have a roadmap that goes a few years into the future. Obviously it gets adjusted as we go along, but I that allows me to get that starting point and then go forward. So, like I said, I haven't embraced it wholly, but I'm at the point where I'm ready to do that and build that in.

Miki Shifman: So, yeah, that's awesome. Like, thank you for sharing that. I guess it's also a new framework and it will be interesting to see, like, how others adopt it as well. And I assume you'll be able to exchange on this topic once a bunch of transit agencies, like, take the same path of adopting the OTCMF. And yeah, like, your plan seem totally in the right direction. That's awesome. Cool. So we touched during this conversation a few working groups that you're part of and you gain experience from. Can you maybe share with the audience, like, more about those working groups and what can one expect to learn from each of those working groups?

Mark Johnston: Absolutely. The APTA actually has two cybersecurity working groups, but they really work together, I think for the most part. Now. One is about enterprise security, kind of the OT part, and the other is the workgroup that does OT. And they're the ones that came out with OTCMF I made, there was a meeting down in Dallas recently that I attended, and I made a commitment there that I was going to do more to get involved with this work group. One thing I'll say, and I would encourage other transit agencies to do it as well. The one thing about this group is it's very heavy. It's got a heavy vendor presence, and it would benefit for more agency practitioners. And I think if we're going to get that benchmarking done right against OTCMF, we're going to have to have agencies get involved and really embrace this holistically and kind of put together a path that makes it very feasible to be done and compare it agency to agency. Because think about this as well. How cool would that be is if we could all do this OTCMF benchmarking and then aggregate this information and see how we look as a whole. Right. Transit as a whole against all our partner agencies? That would be super exciting. But it doesn't mean a lot if it's only one or two or, you know, just a handful doing it. So I, you know, I really, if somebody's going to get involved in something, I encourage them to get involved in that one, that, that other group at MTA, you know, that Tariq has put together, that, that is an awesome group. I made connections with peers and even with vendors and things. And I think getting into a group like that and the monthly calls, there's always topics that are very relevant to transit agencies. And then the once a year face to face is just incredible. I am so grateful, you know, because a lot of times organizations and industries exist that are the behemoths, you know, like an MTA in transit. And they, they're really more about themselves. They do some things globally, but the stuff I see MTA do for the transit community, I was just blown away. They make an investment and they understand, right, whatever, whatever we could do across all of transit is going to make them better. And I'm just so, so grateful for them. But if somebody's in transit, they need to reach out and get it linked up with their group at MTA. And, you know, industry industry connections. Right. And you got to invest in those relationships. I need to do better, and I think as I have more time, that that's a weak excuse. As I make more time to grow some of those relationships, I think it's going to even benefit me more. Of course, we have the information sharing and analysis centers. Miki, you've got the public transportation and the surface transportation ISAC. I highly recommend the multistate ISAC, which is run by the center for Internet Security. They're actually contracted by DHS to do that. Fantastic services. They actually have incident response support. If people need those kind of services, they can support OT to a certain degree. And. Yeah, so MSISAC and then CISA. Oh, we talked about CISA. Right, CISA. Know who your regional folks are. Get ahold of them. Make sure you know what all the offerings are. A lot of them are free. Right. Take advantage of those. So those are those are a lot of things that I'd recommend that people take advantage of.

Miki Shifman: Awesome. Yeah, I see. There's, like, a lot of groups that are available to the different transit agencies, and so good to see that each of them brings something a bit different and unique to the table. And the combination of them creates better cybersecurity aging for everyone and. Yeah, that's great. So cool. Like, hearing you here, Mark. Sounds like you made the right transition from it to critical infrastructure and transit. And I'm interested to hear from you what is, like, the most rewarding thing about it, about making this shift from, like, the other industries you've been to, like, the public, the public sector, or more, let's say, the state government and healthcare to transit. What is most rewarding about it?

Mark Johnston: You know, it's. I gotta say, I said I'm happier doing the job today I do at TriMet than I've been at any job I've ever had. However, I want to be really clear, I've been happy like this at every other job I've ever had. You know, I just. I didn't know. You don't know what? You don't know. I love what I do. I love cybersecurity, and I love enabling businesses to operate more securely, understanding what their businesses are, and then reduce that risk. When I went to public sector eight years ago, there's a great sense of pride about serving others. And it's not just working for Wall Street, if you will, where you've got to maybe tell your folks, hey, you got to take a furlough week off because we need to make our numbers this quarter and those kinds of things. Don't get me wrong. The private sector can offer the same kind of things depending on where you are and what you do. But I wasn't necessarily feeling that as richly as I felt it when I went to work for the state. Right. And especially when I went to the Oregon Health Authority and the Department of Human Services and supporting cybersecurity from them was awesome. And then going to critical infrastructure, it's like I feel like I'm doing something for my country as well, right? Because we hear there is a need for cybersecurity, supporting critical infrastructure and being able to take the skills that I have in building the relationships and leverage what I can do, I really feel like it'll make a difference. And that's why I really like to encourage folks to consider moving into critical infrastructure. I'm not sure what jedi mind trick my acquaintance made to get me into this to where I'm in this seat now, but I'm glad it happened. I'm just super excited and it feels really good, Miki. 

Miki Shifman: That's awesome. All I can say is just amen. Like, super interesting. And I guess we can only read Cecil's reports to see how targeted trends it is and how much of a good work still need to be made. And I strongly encourage everyone to take on this challenge as well. Awesome. So we're getting closer to wrap up, and I would be interested to hear what wisdom would you offer IT professional that are attempting or thinking about a similar transition to the one that you made into transit?

Mark Johnston: Oh, gosh. I guess, in short, it's like, do it. Take the plunge. If you have cybersecurity experience in the realm historically referred to as information security, take those skills and add to them in an area that's in desperate need. If you enjoy cybersecurity, you're going to find it rewarding. It's a great community. It's a great industry. It's got attention, federal government attention. It's got leadership at the agency's attention, non cybersecurity. And those of us who've worked in cybersecurity for a long time know it's really nice to work in an area that, that really knows the importance of cybersecurity and the fact that they need to grow there and just have a plan to move forward. But get over and get involved. Make a difference.

Miki Shifman: Yeah, definitely. Just make a difference. All right, so, Mark, thank you for being here today. It was a pleasure to host here the Secure tracks podcast. You'll be welcome back at any moment of time, and we'll be happy to hear about your progress. And seems like a lot of things are going on, so we definitely anticipate a lot of progress over there. And, like, I guess the working groups will also keep evolving, and we'll be happy to learn more about them. So thanks for your time, and thank you, everyone.

Mark Johnston: Thanks, Miki. It was great talking to you.

Share this post


Bridging Expertise: From IT Foundations to OT Triumphs in Rail Cybersecurity | Mark Johnston | S2E8

icon location
customer icon

The Customer

challenges icon

The Challenges

solution icon

The Solution

Let’s Talk About Securing Your Rail

Our experts will get you back on track

Schedule a Call
Blue right arrowWhite right arrow