back arrow
Back to Resources

Lessons in Rail CISO Leadership: Learning from Mistakes & Building Resilience | Shaofei Huang | S1E2

Rail Tech Security Podcast | Lessons in Rail CISO Leadership: Learning from Mistakes & Building Resilience | Shaofei Huang | S1E2

In this Secure Tracks episode, Shaofei Huang, a seasoned CISO in the rail industry, shares his insights on the complex world of cybersecurity in rail. Huang sheds light on the unique challenges CISOs face in operational technology environments and highlights the need for prioritization and understanding of consequences. Pollock and Huang discuss the increasing threat landscape, with targeted attacks on transportation networks and railways becoming more prevalent.

About our guest:

Shaofei Huang is the Group Chief Information Security Officer at SMRT Corporation Ltd. Prior to joining SMRT, Shaofei gained extensive experience through a diverse range of roles at Singapore's Land Transport Authority (LTA), Ministry of Home Affairs, Centre for Strategic Infocomm Technologies (CSIT), and InfoComm Development Authority.


Roark Pollock: Hi, I'm Roark Pollock, and this is the first season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're talking about securing digitalized rail operational environments and working together with rail operations teams. Today should be a great conversation because we're talking with Shaofei Huang, who is an active rail chief information security officer. Shaofei is the current group CISO for Singapore Mass Rapid Transit, or SMRT for short. And prior to SMRT, Shaofei was with the Singapore Land Transport Authority for almost 12 years, where he served as the CISO for over six years. Shaofei is also a fellow of the Singapore Computer Society, a member of the Singapore Institute of Engineers, and a member of the Singapore chapter of MENSA. Shaofei, welcome to the show, and thank you for joining us today.

Shaofei Huang: Thank you, Roark. Thanks for having me, and I'm excited to be here on your show.

Roark: Awesome. Well, we're really excited to have you. So thanks for joining us. Shaofei, I see you're like me, you have an undergraduate degree in mechanical engineering. So I'm always curious how people go from MECI to being a long-time SAGR security practitioner and what got you into the rail industry.

Shaofei: Yeah, that's a great question to start off with. When I was in mechanical engineering, I wasn't doing everything that was related to mechanical engineering. So that was in 1993, 1994 when I was in college. And there was a time when we started to have internet in the library right around the university campus and I got to use some of these computers to do, you know, like in the past in mechanical engineering, we do CAD design using AutoCAD and stuff like that, right? So that kind of like got me started in the interest for computers and in general, and I got started with Linux, there was a huge thing in the early days, there was a community around, you know, Slackware, Linux, and so on. So I became involved, more and more involved, and that was how I started to hack systems just for fun, right? And the other thing was also that I really loved how things work and that was how I started to, you know, from a mechanical engineer to going into software, hardware, firmware, and now in engineering systems. So that was really how I got started.

Roark: Yeah, I just thought it was a nice starter since we both had that background. All right, well, let's dive into our first topic. Let's talk about digitalization and rail operations, a little bit about the scope and the challenges. So I know having lived in Singapore myself for three years, quite a long time ago, that the country tends to pride itself on being, you know, on the leading edge from a technology standpoint. And I'm curious now that you're with SMRT, if you see that playing out at SMRT, whether it's from an IT perspective or really in the operational rail technology environments there at SMRT. Well, before I talk about technology, I suppose we need to go down to the DNA of the company or the industry in Singapore. 

Shaofei: As you mentioned, we do have a very forward-looking government who, you know, of course as a small country pride ourselves as trying to be at the leading edge. But I suppose in industries like operational technology environments, although we want to be at the leading edge, oftentimes we are, you know, constrained by the industry where we are at globally, not just in Singapore. So I think that is one area that kind of like I want to bring it up. The second thing is also that there is obviously a narrative around why do we even need technology, right? Is there really a need for us to be at the leading edge? That's the question. So in my company, the current company that works with SMRT Corporation, we look at technology as an enabler for what we call continuous improvement. And you know, we call it Kaizen, by the way. So this is like a way of life, a way of, you know, continuous improvement that started from Toyota. And we embrace it in the company from, you know, the very guys working on the factory floor to even the management. So as part of Kaizen, one of the principles is that we challenge tradition, right? We do not accept the norm as it is. And we've continually focused on finding solutions, whatever the problem or the challenge may be. And that's where technology comes in really, really useful, right? So we look for technologies in our work, in our design, so that they are applicable to every aspect of what our operations need. And that's where the concept comes in, in terms of operational real technology, right? We're going to talk about cybersecurity. If you look at the kind of IT domain, it always goes around securing information, confidentiality, integrity, and so on. But when you look at a railway operating environment, the context of applying technology or even trying to be a leader in those spaces has a very different nuance to it. So I suppose that's a kind of like a long answer. I'm not sure whether that is the kind of answer you're expecting, but technology has a place in how we look at operational real technology. But the context is we are using it for our business to be better at what we do and also to be better aligned with our business objectives.

Roark: Yeah, that's perfect. I think a lot of people look at technology that way and see it as an enabler. I'm curious, as the group CISO there at SMRT, the scope of your responsibilities from a cybersecurity standpoint, does it include both those operational real technologies and what I consider to be the more business-focused IT infrastructure?

Shaofei: Absolutely. So my role as the group CISO in SMRT Corporation covers not just the railways, but also our other businesses, including buses, even taxis, our subsidiaries. I mean, we do a radio of stuff in the company more than just the train business.

Roark: Got it. Yeah, understood. Understood.So when you think about the operational rail tech environment, primarily with the rail business, because that's what we're talking about here today, how do you think the scope of that environment, you know, what do you include? What's not part of that scope?

Shaofei: Well, that's a tough question, right? So in Singapore, at least for the railways, it is a regulated sector. So in Singapore, we have what we call the Cybersecurity Act, introduced in the Singapore Parliament a couple of years ago. There's a regulator for cybersecurity, which is called the Cybersecurity Agency, which actually, you know, governs cybersecurity across the critical sectors, railways, and transportation is obviously one of those. So when you ask the question, what kind of defines the boundaries of where we land at, right, in terms of what we need to secure and how much attention, how much resources do we pour in, really is around compliance to that particular Cybersecurity Act. But that being said, there are other areas as well, which is, you know, one of the things that is coming up more and more regularly after, well, two years ago, when we have seen the colonial pipeline attack, I mean, operational technology attacks and cybersecurity threats are not new to the industry, but I think it has come to the fore. And that's something that we're really concerned about.

Roark: Yeah. Yeah, got it. And I know, you know, being on the leading edge of technology is probably great fun for the engineer in you, but causes a little bit of trepidation for the CISO part of you. How do you approach the current cybersecurity risk in the operational rail tech environment and what do you think about the current landscape as far as that rail environment? 

Shaofei: So well, there are so many facets to this. So as I mentioned earlier on, there are already incidents that, in fact, if you just look at, I mean, I'm not going to name the companies, but you just take a look at Google or the news in the recent months, you have seen some of these attacks that are increasingly targeting transportation networks and railways around the world. So it is clear that railway technology environments are prime targets, right? These are not acts of big chief, they are sophisticated targeted attacks, either for financial or other purposes, right? And it does not help that the level of technology obsolescence or what commonly we call technical debt in operational systems, operational technology systems is more than norm than the exception, especially not just in the railway industries, but across the world, right? And in this regard, when I look at cybersecurity risk in operational technology environments, I tend to adopt and assume bridge strategy. So what do I mean by assume bridge? By that I simply mean that, you know, we prepare for the worst and hope for the best. Now, this is not an intuitive or comfortable position for CISOs to take, right? Especially for those traditional CISOs who come from an IT background. I mean, I have spoken to CISOs who are not engineers, and they really struggle with this because as engineers, we are familiar with the whole concept of failure, failure engineering, and we prepare, we design our systems to fail some way, right? But cybersecurity systems, oftentimes, it's kind of a binary success or fail kind of situation. So particularly if, you know, IT CISOs who are put in the position where they come in from a governance compliance and control kind of perspective, right? They want to control everything, but in engineering systems or, you know, environments like this is often not intuitive or not even possible in certain respects. So just to be clear, the main goal of what I mentioned as an assume bridge strategy that as a CISO that I take is to minimize the time it takes to detect and respond to the incident. Now, this is very different from what traditional CISOs may tend to focus on, which is to eliminate risk of even incidents happening at the first place. Now, this is very apt for railway industries because even when incidents happen, we can't stop the railway or the operations just because a malware has been detected, right? So life has, things has to continue moving. I just need to make sure that we isolate the incident swiftly and, you know, prevent them from causing even more damage. So this is kind of counterintuitive and very challenging for CISOs to adapt to if you are not from this particular domain. 

Roark: Yeah, that makes good sense. As you moved into SMRT, because if I remember right, you've only been there a couple of years now on the operator side, and you took responsibility of this particular rail tech environment. How did you think about prioritization of efforts? Obviously, you can't do everything you want to do at once. How do you think about a starting point in approaching the problem?

Shaofei: That's a great question, actually. So before I joined SMRT, I spent more than a decade in the Land Transport Authority, as you mentioned in the introduction. So I was a regulator. So when I was a regulator, I take a certain view on how we actually want to manage security for, cyber security for such systems, right? As I mentioned, there's a huge amount of technical debt, and you really have to prioritize to your point. So how do you prioritize? Number one is, of course, I subscribe to the view that you need to start off from actually understanding the consequence, right? The consequence of having a system breached, the consequence of having a certain operational aspect disrupted, right? So are they critical to safety? That's the first question. Because at the end of the day, you don't want people to get hurt, right? When cyber security attacks happen, it's a whole different complexity as compared to maybe a foul getting, you know, as filtrated from the system and whatnot. So confidentiality, while important, may not be as important or critical in operational tech environment. The second thing will be the interconnectivity with other systems, which is really key here, right? Because when we look at systems or security design in IT landscapes, oftentimes we look at the systems themselves, right? Operating systems and what applications are installed and so on. So you tend to think that when you isolate an incident, a cyber security incident in a particular IT system, and that's it, you know, you have your job done and you can, you know, wrap up the report. But in the operational environment, it's very different, right? Because there are interconnectivities, there are interdependencies with other systems. And bear in mind, as I said earlier on, there's a huge amount of technical debt. Some of these systems are not as quick to recover from, you know, functional deficits because of incidents. So that's where as a CISO, as a cyber security practitioner in this space, you really, really need to have an understanding of how things work together. So if I may just say, it's kind of like a systems of systems view. I know it's kind of like a very complex engineering term, but that's really key to it. You need to have a systems of systems view to addressing cyber security in environments like this.

Roark: Got it, got it. So I don't want to put you on the spot here, but I always think it's interesting to learn from our mistakes at times. And I'm curious if, you know, in the first few years, you've experienced any failure or mistakes that have turned out to be great learning exercises for you that you might share, that people might learn from as well.

Shaofei: Absolutely, you know. In fact, Roark, I have so many big failures. I mean, it's more and big in my career, right? But I would qualify that. Yeah, but I would say the real learning moments for me is to be kind to those people who are involved in the incident, including ourselves, right? As leaders, we need to be kind to ourselves. But the reason is because we need to embrace our mistakes. We only learn from making mistakes, right? As I often tell my colleagues, not just in this particular role, but even before I joined SMRT Corporation, would be that when we learn to what we did for, right? But we learn from that, right? That is just our DNA. But why do we not do that in our area of work? So we have to be kinder to ourselves. And accept that failures are one of those consequences or one of the side products of what we did do at work, right? We need to make mistakes. The second thing is already about the biggest takeaway for me is to be resilient. Now, resilient is a very tricky word, right? Resilient, if you think about it, it's kind of like building our muscle, right? We don't build muscles by just sitting there. And we think for things to happen, and then just typing a few keyboard strokes and hoping that the incident goes away. We really need to pull our sleeves up and get involved in the incidents, get involved with the operations, the engineering stuff, and to try to address incidents from the ground up, all right? Of course, as cybersecurity practitioners, many people, many practitioners that I work with or talk to, they are not on the ground. The reason being that they are not engineers and whatnot, right? But I think as a CISO in this particular industry, you really need to go down to the ground and understand how things work, what kind of impact that cybersecurity attacks, or even the policies that you actually introduce to the company, how do they affect the people on the ground. And when things happen, when failures happen, big or small, you can then have a better position, right? Because you understand the business, you know what the impacts are, and you're able to make better decisions as to what you need to do next. Because time is of the essence, and you are seen as an advisor to the board of directors or even to your chief executive officer. So you really need to know what you're talking about. 

Roark: Got it. Those are fantastic observations. I love both of those, though. Appreciate that. Well, let's move on to our next topic here and talk about tackling the risk within this operational rail tech environment and how you think about the intersection of security or cybersecurity and safety. I  know that there's lots of CISOs in the rail industry that might now just being asked to take ownership of the rail tech environments for the first time. We talked about this a little bit, but when you came on board, how did you start to get your hands around the rail tech environment and start to understand the associated risk? 

Shaofei: So going back to what I said earlier, the first thing to do is to really go back to the core design principles of the railway systems, right? They are not designed to be cybersecurity. We have to accept that. What are they designed for? They are designed to be reliable. They are designed to be safe. And that's why when you talk to engineers about critical control systems, the boundary conditions or the design philosophies are always safety first, right? But what really is safety? So we have to go back. I mean, as an engineer yourself, Roark, you probably understand what is hazard analysis, right? So that really forms the key part of the conversation. Is cybersecurity part of a hazard? Is it a hazard to the system's safety or reliability? So if you can't start the conversation with that, it'll be very challenging to go further, right? So when you talk about safety and reliability, there are intersections with cybersecurity. And one of those things that have kind of changed over the last decade or so is that the intersection between safety and cybersecurity has become even more visible. It has always been there, right? It's just that it has become more visible. The reason why? Why is that so? Because, I mean, for those of the audiences who are familiar with the Purdue model or 62443, we talk about security levels, right? SLs or criticality, whether you are level zero, level one, level two, you start to build up the whole concept of systems of systems. You have zones, you have conduits, you have systems across the whole ecosystem of the railway technologies. So one of the key things will be to actually understand, again, what are the consequences, the intersections between safety and cybersecurity and draw out what are those, you know, clusters of systems, conduits, zones, and intersections that you want to bring up to the conversation. It's not really, maybe, let me be clear, start the conversation with what matters most to the business, to the operational stuff, right? Don't start off by talking about things that are important to the CISO or the cybersecurity team in terms of cybersecurity, because you land in a very different, you know, starting point altogether. Have the conversation with them to understand what matters to them most in terms of safety consequences and safety objectives, and then you'll be able to understand what are those networks, peripherals that are connected to systems, I mean, you mentioned railway systems, so off the cuff, it will be things like signaling and communication systems, automatic train supervision systems for automated trains and so on. So those are the things that will be really key, right? And in starting that conversation and understanding, you know, why cybersecurity has to be part of the conversation when you talk to them about safety. So that's one. The second one would be in terms of, I mean, they're looking at past incidents, right? And this interesting nugget of information, right? A lot of environments or systems in this industry are not monitored for security. And that's where Cylus comes in, obviously, right? And when you don't have active monitoring of these systems, you do not know what you do not know. And when things happen, inevitably things will happen, big or small, right? You don't have the kind of visibility or awareness of what has been in the system and what you need to get your attention fixated on to start addressing those incidents. So that is really a conversation that we need to have, we as cybersecurity professionals, practitioners need to have with the engineers so that when they respond to safety incidents, when they respond to hazards, they can start asking the question, could this have been a cybersecurity incident? That will be a huge win for the CISO or the cybersecurity practitioner. Yeah, I think that's spot on. I think you're spot on with the assume a breach approach. And I think real-time continuous monitoring is a big part of that because you've got to be able to shorten the detection to response timing. So like you mentioned, fantastic.

Roark: So I'm curious, you have an interesting background and you mentioned it earlier, having worked for the public transport authority before going to the other side, working for a public transportation operator now, and you've been on both sides of the fence. How do you, do you view safety and cybersecurity differently on coming from one role to the other? Do you have a different approach between the two or do you think about things differently now that you are on the operator side? 

Shaofei: Well, from my experience, the vocabulary has the same interpretation, safety and cybersecurity, whether you are in a PTA, the public transport authority or a PTO, public transportation operator. So as I said earlier on in my previous response, safety and security, they are closely related and often, as I mentioned, the intersections, they do overlap. And the reason for this is one failure in safety could be related to the failure in cybersecurity and vice versa. But in terms of the approach, it may be different between how a PTA and a PTO will address it, right? So the PTA coming from a governance and compliance perspective will look at checklists, they will look at external audits, independent views of assessments of where you are in terms of posture, internal maturity. Does it really help to help cybersecurity? Obviously, yes, there is obviously a moment, positive from it to actually get operators to get serious about cybersecurity. But I will say from an operator point of view, where I'm at right now, I think we need a more hands-on kind of approach from the ground up, not just to look at governance per se, right? I mean, we all know that, as I mentioned earlier on, there's a technology, technical debt, there are technology risks that we have to deal with on a day-to-day basis, but we still need to keep the railway moving. We still need to have an eye on keeping our passengers, our customers safe, right? So then what do we do? So I would suppose in operator, you probably have to take a more pragmatic framework approach. So what I personally use is very simple, right? I use the PDCA cycle, the PD plan, do, check and act. So as a formal regulator, having worked in a regulator, I know what other things that I need to plan for, right? So I prioritize them in terms of what other things that I can immediately do, regardless of whether I have the technology, whether I have the OEMs on board with it, what are the things that I can do as part of process improvements, right? And what helps me a lot in implementing this prioritization is the needs cybersecurity framework or the CSF in short, right? So the CSF for those who are not very familiar with it, basically comprises the phases of the cybersecurity life cycle, right? So identify, protect, detect, respond and recover. So I would say for a lot of the existing railway lines, probably the focus of the CISO or the cybersecurity team should be on the detect and respond. What do I mean, right? It is what it is, you have a system there, you need to keep the railways moving, you have to keep your passengers safe. So you really need to make sure that you focus your attention, your resources on protecting the system by detecting threats and responding to them on a continual basis. Again, more concrete examples of where safety and security intersect is that safety hazards being monitored on a very rigorous kind of a regime, right? Because that is what the systems are designed to do. But the approach that I have to do take with PDCA as well as the CSF framework is basically to map those controls to what other equivalent cybersecurity, you know, tenants or programs, initiatives that I want to run to improve the processes.

Roark: Yeah, understood, yeah. You've mentioned a few different frameworks, you've mentioned NIST, you've mentioned there in Singapore, the CSA, and then I think previously you referred to IEC 6443. Are those the primary frameworks that you use within the operations areas there at SMRC?

Shaofei: Yeah, we use the CSF a lot. So when I joined the company, I actually, I won't say replace, but I aligned the framework, the cybersecurity framework more closely to the NIST CSF. Previous to that, as most companies do, we align ourselves to ISO 27001, ISMS, or the information security management systems kind of standard. But through my experience, whether from a regulator or now as an operator, right, I feel that a more pragmatic framework such as the CSF is more suitable. It allows the cybersecurity team to really dive deep and focus on the areas that matter most to the business. Whereas in 27001, it's kind of a checklist thing, right? You have to make sure you comply with every other area. So that's kind of a set of different tone to how you want to manage security in the business. 

Roark: Yeah, I find that's pretty common in conversations with other CISOs as well. All right, well, let's see if we can transition over and start to hit our third topic here that we wanted to talk about this evening, collaborating with operations and also your executive stakeholders. I know often when you are looking to start a project that involves the operational rail tech environments, I assume, and from what I understand, most often that involves the rail operations teams or at least some part of the rail operations or organizations. Is that actually the case for you? And if so, how do those interactions usually play out?

Shaofei: So I'm quite fortunate that in SMRT cooperation, we have what I call cybersecurity team that is embedded in the railway operations. So we have a line one function in the railway operations where engineers on the ground are actually, they carry certain cybersecurity responsibilities. And we have a line two, which is more the setting the standards and showing controls are in place. So we have a line two team in what we call operational technology, cybersecurity team. And that also is embedded in the railway operations business. So as a group CISO, I oversee all of this, but I think what is really, really beneficial about this configuration is that on a day-to-day basis, cybersecurity is embedded in how we run our operations, how we respond to incidents, and it really helps us very effectively balance operational efficiency as well as cybersecurity requirements and needs. And they are also quite close, I mean, not quite, they are closely integrated, connected with the group CISO office, which reports to me. So when we see certain threat intelligence or indicators, we have a very seamless way of actually engaging right from the line three down to line two to line one and getting everybody responding to incidents really, really fast. And that is really amazing. I would say thing that I have found in this company. I won't say it's the same for other companies, but I think this is really one of the best, one of the best configurations you can have in terms of running operations and cybersecurity effectively in railways. And as I said, the cybersecurity team in the railway operations is embedded and therefore it's very closely engaged with people or engineers who are not even cybersecurity trained and they can become ambassadors or champions for cybersecurity on the ground. So on a daily basis, the interactions could be that, oh, I've seen this phishing email or what do I do? And this really helps because conventionally or traditionally, security awareness campaigns are done from top down. So for example, the group CISO office will run a security awareness program, you paste posters everywhere and hope everybody looks at it. But I think from my perspective right now is that we do have a very different, well, we do have posters, but I think the more effective way of actually promoting security culture and awareness is really from the ground up. And that configuration really helps with it. Last point is around collaboration. So collaboration with cybersecurity is kind of like that elephant in the room that everybody knows that is the problem, but nobody really wants to talk about it, right? Because when you talk to cybersecurity practitioners, often you're expecting to hear, no, most of the time or all the time. Can I do this? Can I do that? No, you can't. It's against the policy. Don't do that, right? But I think when we have the interactions with engineers and we have embedded teams, the conversation would be a different one, right? It will be, yes, I understand what you're going through. Let's see how we can do this more securely. And that kind of like pans out in a very different way, right? It plays out in a very different kind of conversation. Ultimately it's about keeping the business effective. And as I mentioned quite several times, our DNA is to ensure that we keep our customers safe, our services reliable. And those are things that our passengers expect. So that is really how I think the configuration should be for cybersecurity teams in railway operating environments.

Roark: I'm curious, Shaofei. You mentioned earlier, I believe, that you said the cybersecurity organization is split where you have certain individuals that are focused on the rail technology environments, others that may be focused perhaps in the IT part of the business. Maybe you have some other divisions as well. Is that part of what helps align the operations organization and the cybersecurity teams and are there other things that you find really helps those two teams be aligned?

Shaofei: Absolutely. So it comes down to leadership, really big work there. But I think having the mandate for the CISO clearly defined both in the company as well as to the regulator that really helps set the tone from the top as to what cybersecurity is responsible for and what the structure should be in the different business units. For example, in railways, how should they report to the group CISO? How should they report? Leadership is really important. And the second point which is related to leadership is leadership at the senior executive level. Does the chief executive officer, does he or she have the same concern of cybersecurity as the group CISO? Are they aligned? Who does the group CISO report to? So in my company, I report to the group CEO and that is not the case for a lot of companies. They report to the CIOs and whatnot. And that kind of like changes the mandate of the CISO. So because I report to the group CEO, I have a mandate to cover the whole company including railway business and so on. So I suppose that helped me a lot. The other one is being aligned with the expectations from the board of directors, right? The board of directors is a very, very important ally to the CISO because that will actually set the tone as well as the structure of how the CISO should function in the company, right? Because if the CISO is more of a compliance function, checking the boxes, I think that is, well, I mean, that's all good for certain industries, right? But for industry like railways, I think the CISO has to be prepared to roll up his sleeves or her sleeves to get things done, to solve problems rather than to just identify that, oh, we are not compliant to this particular policy or this particular clause, right? So that is one area. So I suppose leadership is really one of the most important aspects to address to have that kind of structure in place.

Roark: Perfect, perfect. And I assume a part of the job not just involves the operations teams, but also involves selling internally to your executive stakeholders that you're meeting or the CEO. It sounds like you're pretty well aligned. I don't know how much of a difficulty you'd have selling projects internally, but maybe you do. So I'm curious, that part of the job, how do you take that on? And also where do you focus as far as reporting up the success of your efforts from a cybersecurity standpoint in keeping people aligned? Well, that's almost like three or four questions in one.Let me try, let me give it a shot, right? So I suppose the stakeholder engagement has to be really a concerted and intentional effort, right? You don't just talk to the group CEO and hope that everybody falls in line. So what I did in my first 100 days when I joined the company was to talk to every one of the corporate chiefs, the chief, whether it's the chief finance officer, chief corporate communications officer and everyone else in the state of senior leadership, right? Most of them anyway. The reason for that is that you need to actually understand from their perspective, what is that thing that will move the needle to implement cybersecurity that benefits them, right? Because oftentimes when you talk, as I mentioned earlier on, I alluded to the point that a lot of CISOs report to the IT departments. So they are seen as backend functions and they are not really enabling the business, so to speak, right? I mean, that may be a broad brush, but I think most of the companies actually face that. So one approach that I took was to actually position the cybersecurity function as a business enabler. And that really has to be the conversation right from day one when I joined the company, obviously. So I want to enable the business, I want them to help to manage, I want to help them manage the risks. And that kind of like sets the stage for aligning business objectives across the board. So when I put the way you put it to sell cybersecurity projects, right? It has to be something that addresses most, if not all of the expectations from the stakeholders, right? Because if you are selling a cybersecurity project, that only answers to one particular stakeholder, right? Chances are the budget will have to come from them and that may not bend out really well, right? So when you talk about cybersecurity solutions or projects that actually benefit more people across the company, more businesses, right? That kind of like reduces the friction to getting the budget and implementing it successfully across the company. The second thing is about time. So I mentioned a little bit about technical debt, technology obsolescence, and especially in the railway industry, right? We are kind of struggling with this already, right? We are already dealing with technical debt and often when we talk about selling security projects or thinking about security improvements from a technology perspective, right? Are we introducing more technical debt? Are we introducing more risk to technical debt? Maybe not now, but maybe five years down the road. So I think it has to be a concerted, very, very intentional thinking as to what do we do in five years time? Let's say we implement this security solution. What is in it for the business after five years? Do we change out the system? Do we, you know, and therefore the last part is about partnerships. So I mentioned about the first one is diverse stakeholders engaging with the stakeholders. The second is about timeframe, understanding the end-to-end system lifecycle and addressing those topics. And the third one is about partnership, right? So partnership is not just internal partnerships. It's also about external partnerships, finding collaborators, finding companies, for example, like Cylus, right? To have those conversations as to how do we support each other and having a partner will literally introduce more possibilities to enabling and, you know, lengthening the, or extending the success of that particular project on a technology in a railway system. So it's not kind of not like implement this and, you know, five years later, we think of how to proceed with another vendor. I think it has to be more of a partnership to see how we can work with a partner or, you know, collaborator for the longer term. 

Roark: Right, makes good sense, make good sense.  Well, I appreciate that. One last question and we'll wrap some things up. So I'm curious as you think about the future and I'm sure you're chartered with that as a CISO, as you think about the future and where things are going in the operational rail tech environment and where it converges with cybersecurity, you know, how are you thinking about that? And, you know, what bit of advice would you give other CISOs that might be thinking about the same thing?

Shaofei: So that's a really tough one. I think it is vital to have a conversation with partners, with OEMs, with your stakeholders. And if the CISOs or practitioners have not started those conversations, it's time to start now. And the reason is simple, right? Because if you don't communicate, you're not having those conversations with whether partners, stakeholders, you're not plugging into the business. And if you're not plugging into the business, you're risking irrelevance to the business. And that's the worst thing that, you know, the CISO or the cybersecurity team should lend themselves in, right? Because if you become a backend function, you're not seen as a business enabler. You don't belong in the room, right? The other thing that is very important is help others to understand the so-whats of cybersecurity. I mean, myself included, I'm guilty as charged, right? When we talk about cybersecurity, sometimes we become so passionate about a topic and we start to use vocabulary that instills fear, uncertainty, and even doubt, right? F-U-D for short. And I don't think this pans out very well because when you instill fear, people will become very reactionary, right? They will say, okay, if that's the case, what do you want me to do, right? And if I do this, does it solve the problem? And you have just literally defined the outer bounds or, you know, the parameters of the conversation and you're not going to get very far with that, right? It could be a one-off conversation and that's it. So I think we, as cybersecurity practitioners, as CISOs, we need to really be obsessed, obsessed with the business that we are in, obsessed with safety, for example, obsessed with reliability and use this as the framework for our conversations and even topics with our stakeholders. Don't just stick to the traditional things like security by design, you know, all the stuff. I mean, we get excited about those terms, right? In our own circles, but when we talk to the stakeholders, they are like, what, what is that? And it's very tough to explain the so what's to them. So that's one. The second thing is actually about reporting. A lot of us, maybe even in my previous, earlier parts of my career, right? I prided myself in doing very good work. Yeah, but I don't communicate enough to stakeholders or even customers about the good work I'm doing, right? So of course it's good to be humble, right? But I think it's important to let people realize how much work the cybersecurity team, hard work that they are doing as well. Even the partners, right? That's a hard lesson to learn at some point in your career. Yeah, you need to let people know, right? And if they say that, you know, you're just singing your, singing your own whatever, blowing your own horn or whatever, I would just go away with a laugh, right? At least I tried, but I think it's important, right? I think it's important to help everyone in the team to also get some recognition. Yeah. Yeah, so last one, basically to sum it all up, what I just said in the last five minutes is, I mean, being a CISO is one of the hardest job in the world. I don't envy anybody in the same role, right? It's hard, but I will say be kind to ourselves, be kind to those around us. And I think that will have a lot of dividends for us in both our careers and personal lives. Yeah, that's great advice for anybody in any industry, but probably certainly as a CISO.

Roark: Well, Shaofei, let's wrap it up. If somebody wanted to get in contact with you, which one of the social media platforms are you active on or what's the best way to get in contact with you?

Shoafei: Oh, that's the easiest question. You can get in touch with me on LinkedIn. You can just search for Shaofei or SMRT. You probably could find me on LinkedIn, yeah.

Roark: All right, perfect. Yeah, you and I both have names that stand out. So easy to find on LinkedIn, certainly. So Shaofei, thank you very much for joining us today. That's the end of our show today. Until next time, keep those tracks secure.

Shoafei: Awesome, thank you, Roark. Thank you. Bye.

Share this post


Lessons in Rail CISO Leadership: Learning from Mistakes & Building Resilience | Shaofei Huang | S1E2

icon location
customer icon

The Customer

challenges icon

The Challenges

solution icon

The Solution

Let’s Talk About Securing Your Rail

Our experts will get you back on track

Schedule a Call
Blue right arrowWhite right arrow