In this Secure Tracks episode, we sit down with Bill Heinrich, a highly experienced professional in IT and cybersecurity within the rail industry. With over two decades of experience at prominent rail companies like Amtrak, BNSF Railway, and Union Pacific Railroad, Bill brings a wealth of knowledge to the table. In this episode, we explore the fascinating career journey of a rail industry Chief Information Security Officer (CISO) and discuss the implementation of cybersecurity programs for operational rail tech environments.
About our guest:
Bill Heinrich is a distinguished expert in the field of IT and cybersecurity within the rail industry. With an extensive career spanning over 35 years, Bill's expertise and experience make him a go-to authority in operational rail technology and cybersecurity. He served as the Chief Information Security Officer (CISO) for Amtrak, and prior to that, held significant positions at BNSF Railway and Union Pacific Railroad. Bill founded Strong Tower Cybersecurity LLC, and as a virtual CISO, continues to contribute his wealth of expertise, aiding organizations in strengthening their cybersecurity posture.
Roark Pollock: Hi, I'm Roark Pollock. And this is the first season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies in cybersecurity. In this episode, we'll discuss how to implement a cybersecurity program for operational rail technology environments. I'm really excited today about our conversation because we're talking with Bill Heinrich, who probably has more it and cybersecurity experience in the rail industry than 99.9% of our listeners. Bill works as a virtual CIO for hire today, but previously, he worked two and a half years as the Chief Information Security Officer for Amtrak, specifically addressing rail technology, cybersecurity. Prior to that Bill was at BNSF Railway for over 24 years, and was the CIA. So for eight years there. And prior to that ill worked in systems development for Union Pacific Railroad for over 13 years. Additionally, Bill hails from the great state of Texas like myself, so we do have that in common. So Bill, welcome to the show today, and thank you for joining us.
Bill Heinrich: Thank you, Roark, I appreciate the opportunity to to join you today looking forward to the conversation we're gonna have.
Roark: Great, great, yeah, I'm looking forward to it very much. So. So, Bill, before we get started, I'm always curious if you could tell us a little bit about your path into the IT and cybersecurity world and specifically how you kind of blended those and got into the rail industry as well.
Bill: Sure, I started in the rail industry many years ago, like in 1979, I started in a yard office, working on dispatching trains and doing various yard office functions, I was allowed to, I was allowed to take an assessment test for lighting at that time. And, you know, in that day and age companies really recruited their IT professionals from within the company. And so I passed the test. And that began my IT career in 1980. And so, as you mentioned already, I spent several years at Union Pacific and doing various applications, development system development functions. I went to BNSF, you know, in 1993, and spent 20 plus years there, and I did all kinds of things there systems development, infrastructure management, Enterprise Information Management, they presented me with an opportunity, the current security, Guy BNSF was retiring. And they presented me with an opportunity at that point in time to move from my role as Enterprise Information Management Director into the CISO role. And so I took an opportunity to do that. And then the rest is kind of history.
Roark: Got it? Long, long and illustrious career. All right. Well, Bill, I think what we'd like to do today is is use your career a bit and talk through maybe you know, how you've progressed over the years and use that as a way of of starting to think about if you were a new CISO, so coming into the rail industry, and specifically taking over responsibility for the risk, the cybersecurity risk within the operational rail tech environments, what that kind of program might look like, and hey, at the end of the day, maybe we help you from a virtual CISO perspective as well. Right?
Bill: Sure. Yeah. Yeah. I mean, this CISO has to understand the lead, you know, the lay of the world when they when they sign up. So, you know, they spend their first 60-90 days truly just understanding what's happening in the organization on cybersecurity, trying to understand what kind of things haven't been implemented, what kind of technologies have been are out there in the rail industry, you got, you have both the data center IT that functions, but you also have the ICS/OT world, which presents a whole other dimension of opportunity and responsibilities that you know, and a lot of companies that don't have operational technologies don't have to worry about so you know, I you know, the, the first 90 days or so you need to do an assessment of where you are, and you know, what you have out there and go from there, see what kind of a program you need to implement whichever you need to focus on more. Typically, you're going to find I think that the cybersecurity functions are pretty well set, you know, pretty well set up and then things that probably as well set up are the ICS OT world. Right?
Roark: Yeah. And it's that operational rail technology environment that we want to talk about today. And I'm curious, as you know, let's we start a little bit with your time at BNSF Railways you served eight years there as the CISO. So what were your early experiences in starting to think about getting your hands around the cyber risk in the operational rail environments? And how did how did you go about doing that? And perhaps, would you do something differently today than that first time around?
Bill: Yeah, you know, back in those days, there wasn't a lot of focus on the ICS/OT space. So the operational technology space. And so we knew that we had technology out there, you know, and a lot of railroads in the case, in the case of BNSF, and was the case at Amtrak too is that a lot of the operational technologies are implemented outside the IT organization. So there's not there's not visibility necessarily to that stuff. And so first of all, you need to understand how you're going to get visibility to it, what we did at BNSF, as we started out, just very rudimentary and just started doing network scans and, and try and identify what was on the network. And then when we found something, we tried to evaluate that technology through Port Scans and other you know, other ways to see if we can determine what it was. And I just started to build an inventory because we didn't need have an inventory at one time. So we started there, it was pretty rudimentary. Try to get some, try to get some exposure to what we were doing through the leadership in the IT organization and get some, you know, backing for the work that we needed to go off and do and protect that environment. So let's get in where we started. Usually, really, just really basic networking, getting close, and so forth, really didn't have much to work with. And we came to find out that we had to really work with the non-IT business functions, in order to understand really, it was out there. And they were the ones that had put it out there. And they were the ones that knew where that stuff was. And they were the ones that knew if third party was managing it to where when they were management, managing it, then what we needed to do to start evaluating and protecting that stuff.
Roark: Bill, it's a little bit surprising to me. You know, you always hear people talking about the fragility, perhaps of some of the operational systems relative to scanning those networks and not wanting to do anything actively on those networks. I'm surprised you were doing that yourself. Did that work? You're running into problems?
Bill: It's funny, you should ask that question. Yeah. So it? I mean, it worked. For the most part we did we we stumbled a couple of times, where we may have taken a control system down, you know, what people need to understand is that, you know, some of that technology that's out there is 40-50 years old. And it's very, it's a it's control system that does a very specific function, it does it very, very well. And it has done a very, very well for many, many years. Although one of the things, they are fragile, and they were built in a day and age, you know, where weren't as redundant or resist resilient as technologists today. So we did run into a couple opportunities where we scanned the device, did a port scan on it and took the device down and had to quickly work with a business functions to get that dialed device backup. So it didn't impact any of the operations of the railroad.
Roark: So that's one way to introduce yourself to the operations team. Not the best way necessarily, but yeah, it is one way to do it. I take it, that's not necessarily something you would advise clients to do today.
Bill: No, I Yeah. There's other ways to go off and do that stuff. I think. And yeah, that was that was just a method we used and went into very naively and not thinking through that. And like I said, it was back in probably 20, you know, 2016-2015, when there wasn't a whole lot of focus around this, and not a lot of technology around even help us. Right.
Roark: Right. Yeah. Right. So as you as you started getting into the systems in the operational world, you know, how did you think about the scope of the systems are the technologies that you looked at in the operations environment? And how did you start to put some structure around just even thinking about the risk or perhaps even doing some initial evaluation or audit in the environment?
Bill: Well, we did. We looked at some of the I would say framework standards out there. You know, there were some really, they're really good and the NIST cybersecurity framework wasn't out there necessarily. At that point in time it was in early stages of development. We did, we did refer to NIST 800-53 stuff. We looked at the ISO 27001 stuff, we actually ended up using a tool from the department Homeland Security called their Cybersecurity Evaluation Tool, the CSET tool, which helped us work through asking the right questions about the technology tool was primarily built for the industrial control system world. And so we were able to use that tool and ask questions about what was out there and try to initially come up with a risk rating for what we were seeing. And then, you know, PTC was heavy in implementation at that point in time, too. So we were getting some visibility around what we were doing to protect those assets that were that were supporting that positive train control system, too. So it all kind of came together at that point in time when we had to start risk grading various things that we need to work on and figure out our strategy for what we're going to do to protect that stuff.
Roark: Got it? Got it. You answered my next question. I was just curious about the frameworks, you're using the back end point in time.
Bill: Yeah, you know, our scope was pretty broad. When we started, we just wanted to know, you know, what's out there. And, and then we had kind of had to narrow in on once we ran into various things, tried to figure out which ones were the assets that we wanted to focus on initially, because it just, there was too much to start off. And as you as you as you go through it, you find out there's a lot of stuff out there. Some of it is it has good protection around it.
Roark: So it didn't, yeah, you know, everybody starts every is kind of the first step, I think. Yeah, yeah. So once you kind of get your hands around it, and you kind of have a sense of the perhaps the risk that might be in that, in that environment. I guess the next step is starting to try to champion some efforts internally, about how to address some of those risks, and essentially, drive awareness internally of some of the rest that you are now aware of, perhaps for the first time, how did you go about trying to trying to champion that within the organization?
Bill: Yeah, you know, that BNSF probably didn't do as good a job as I could have done championing across with the business functions, I could have spent more time over there working with them to help them understand, you know, why we were interested in that stuff, and why we're interested in protections around it. Initially, we, I was, as a CISO, I was reporting up to the CIO. And we kind of kept our focus internally into the IT organization and why we had a way we had to be focusing on protecting those assets. The CIO was very much into doing what we could to protect that stuff. And so we started to implement. We started implement strategies around how to do it within the IT organization, not necessarily working with the business functions, as closely. Most of our stuff was really going to be focused around how to do network segmentation, physical network segmentation. And we would work with the business as we were moving assets from one segment to another. But a lot of the work was done with the internal network team, and that network team at the time actually resided in IT. So we were able to work with the IT organization and head CIO support to start doing some of that work there.
Roark: Okay, so you started prioritizing at the network level and trying to segment once you get through the kind of assessment and audit phase.
Bill: Yeah, yeah, that's, we, we knew that we needed to get some of those, especially in those very fragile pieces of control systems out there segmented off so that we could restrict what type of traffic hit that and who could actually go at those those devices. So that that seemed like the good first step for us was to figure out how to segment that stuff off.
Roark: Right. Right. That makes a lot of good sense. That makes good sense. Any hard earned lessons or failures that you learn from during that those early stages?
Bill: Yeah, you know, I already talked about one as being you know, have to be real careful what you will go off and do and how, how fast you want to go off and do that stuff. Because, you know, those technologies do run the railroad. Now, what will we ever impact because it wasn't necessarily around transportation management, but it was around a specific control system that managed a very specific thing. But taking it down and actually delayed, you know, a couple of trains. So you have to be very careful how you head into this. If I had to do it all over again, I would spend more time working with the business functions and put it out there and sit down and had more conversations with them around why they put it out there and why they the way they put it out there and and try to work with it more close to get buy in and support from their side to do stuff.
Roark: How if you were just looking at it from the network level? How did you go about understanding the functions of the systems and just operationally what the different applications and systems were responsible for in the operational environment?
Bill: Yeah, when we were doing our scans course, we came up with stuff that we found out there. And then we would start to build an inventory, it was pretty rudimentary, it was a spreadsheet of stuff. And we would take that over to the business functions. In this case, it was the engineering department and started talking to them about what was out there and what it was used for. And then we would start to work with, you know, them to drill into the the technology itself to see, you know, what kind of controls and protections were around that technology around, you know, access controls and things like that. criticality of the control system. And, you know, I tried to understand what would happen if that control system went down the risk around that and those type of things?
Roark: Right, right. Okay. Well, that's, so you were working with the engineering and the operations teams just as much as you would?
Bill: Yeah, probably more reactive and proactive. And, and, you know, I would do it different if I would, if I was doing it, again, going into it, it'd be more proactive and in reaching out to them and, and helping our teams to understand what was out there better working with alongside them.
Roark: Right, right. Okay, that makes sense. Well, you did get a chance to do it again. I mean, after a long stint at BNSF Railway is I mean, you then move to Amtrak to take over as CISO there, you know, I'm curious, why why make the move and to what was your charter as a as a new CISO coming into Amtrak?
Bill: Why make the move? Well, it was it was a big move, and one that didn't take lightly, the opportunity was to go in and build a cybersecurity program, that, you know, they were had some good, they had some good stuff in place around the IT assets and data center type stuff, but they had, they were, I guess, weak in cybersecurity around the operational technology space. And so they wanted to the current CISO, there was retiring, they went to the market to look for somebody that had Operational Technology, Industrial Control System backgrounds. And they looked specifically in the rail industry, and then outside a little bit, but that's where I was, I was recruited in that point in time, because of a little bit of experience I had at BNSF to come in and do that at Amtrak.
Roark: Got it? Got it. So you were the perfect fit coming into that role.
Bill: Yeah, I guess so.
Roark: Not that you will sell yourself that way. But so again, you know, my thought is, let's treat this conversation almost like a how to, for somebody that might be in the same seat today, you know, worried about building cybersecurity kind of step by step in that operational rail and rail technology environment. So why don't you tell us how you came in with a charter to specifically I think, focus on that rail tech environment and tell us kindness? You know, what were your first steps coming in in that role? And how did you go about? Maybe unlike the first time around, you did it? How did you go about kind of championing internally and getting some buy in for your charter?
Bill: Well, unlike the BNSF, that I wrote, When I stepped in to the role of Amtrak, they had already hired someone under the prayer. So they are they're hired a third, a third party come in and do a full assessment on their industrial control systems network. And so based on that assessment, and the findings, they, the board of directors and the CEO, and the executive management was briefed on what was found in that report. And so there was some urgency put around, being able to mitigate the risks that was found there. And so I saw I stepped into it with a good step already taking place. You know, initially, if you're going to step into the role knew you would want to do that assessment yourself and try to understand what was out there and what kind of risk posture each of those devices had. Fortunately, that was that that was done already by time I stepped into the role. So I really took what was done out of that study, and had the full support of the CEO and the executive management team to go off and do what we needed to do to close the gaps that were found in the study, which helped a lot actually it was so when I went to work with the business functions that had implemented that technology. So and in the case of interacting in it was within the operation his team, but the engineering team within the operations team head did most of that. And they actually were the ones that actually even managed the network at the operational technology level. So they, they not only manage the technologies that were put out there, but they manage the network itself. The IT organization manage the IT network, and those two were plugged together, you know, it was through a firewall and such, but that connection is where the Engineering Department took over. So, in order to do anything in that space, you had to work through the executives over there and down through the organization to get support for what you want to go off and do. Fortunately, again, I came into it with a lot of high-level support from the organization to make this happen. So if I wasn't getting what I needed to have happen, it was pretty easy to, you know, under help them understand the charter I was given.
Roark: Yeah, well, it's a fantastic opportunity to step into. Let's assume it wasn't quite that far progressed, and you had to go sell internally and get people on board, you know, and what do you think that process looks like?
Bill: Well, yeah, so you can do it, you know, you can either do an internal yourself to do the assessment that that third party did for us, which is what we're trying to do at BNSF. Or you can hire somebody to do that and come out with full risk assessment, you know, that takes money takes money the way I guess, but but you need to understand, if you don't have that study done, you got to get there. And so you got to understand the risk posture for all that technology, it's out there, once you understand that, it becomes a little easier to sell the chief operating officer that, hey, you have this technology out there, it's doing what's supposed to be doing. But you know, there are some gaps in the cybersecurity space there. And we need to do something to address the gaps we're finding, if we don't do it, here's the risk. And here's what could potentially happen to your operations who potentially could happen to the business. And so you got to go, you know, cybersecurity, the CISOs role is a lot about managing risk and communicating risk. And you've always got to have those conversations around if, if we don't do something, here's what can happen and, and sort of, here's kind of what the potential impact of the business is. I would I would approach it that way, too.
Roark: Yeah, it's always turning back into a risk management conversation is, right. Yeah. Well, a lot of times, when anytime I think any, anybody takes on a new job, you know, one of the if you go read the advice of you know what to do in your first 90 days and these kinds of things, there's always advice about looking for early wins, or some low hanging fruit that you can take advantage of and build some credibility, perhaps, was there anything that you were able to do early on, that helped build that credibility as a quick one, perhaps when you stepped into that role?
Bill: Yeah, we, you know, on my security team, I had an individual, we had assigned an individual full time to do an industrial control system work. And she had a great relationship with the business at that point in time, too. So that helped a lot being able to step in there and work with them. But there were some things you know, that there are probably a dozen things that we call low hanging fruit, that we were able to show them that if we did these things, that we would increase our security posture greatly, greatly. And some of them were easier things to do. Some of them were not so easy to do. But we, we had a list of about a dozen things that would take probably a year or more to actually work through all those because of the the sensitivity to the control systems that are out there and being able to implement those things and, and roll that control system network over. But yeah, there were several things that we found. And they agreed once we found those things that those were opportunities or holes in what they were doing. And we got good support. Once we started working through these things, and they saw the risk around that, but there was a lot of conversations around. Here's what we found, here's why it's a problem. And and here's what we here's what we recommend to to fix it and garner their thought and got their feedback, too. And if they had feedback on different ways to do it, we would listen to him.
Roark: Is it possible to give an example of any of those things without giving away anything proprietary or saying too much?
Bill: Yeah, I mean, one of the you know, one of the things one of the issues one big issue in the industrial control systems space is just around passwords. You know, a lot of passwords are easily guessed, or maybe somebody's been, you know, default passwords. So we found some of that out there. That out either heads and easily guess passwords or default passwords, get non-expiring passwords, things like that. So we, you know, we implemented some technology, we actually rolled, we rolled the technology, we could into our Active Directory infrastructure, in that, we could actually start enforcing our password management roles on the corporate level into the control system space. We also implemented some stuff around USB keys, because at that point in time, you can just go off, you know, go to Best Buy or whatever, by your USB key and do what you want to do it. Yeah, so we would, we would enforce standardized USB keys. And we don't allow those USB keys to be inserted in those in those devices. And they were keys that we knew that were secure. We just, there's some, you know, even just access control into the machine itself, there's there were third parties that support itself, but and they would, they would have their own way to remote into those devices. So just changing that up and going through more of a corporate VPN solution. So that everybody was coming through a standard security infrastructure component, actually, to get to those devices, had to work with the third parties, and you know, to get them moved over and do that. But those are some of the things that we worked with other some other things, you know, simple things, too, like just an incident response plan. There wasn't one for the set, you know, for the incident for the industrial control system space. And, you know, who was going to be called when, on what and what was going to be considered critical. And yeah, so there are some low-hanging fruit things that you need to work on, you know, some of the things because that's that technology has been out there for awhile, some of it, you know, they're obsolete devices. And some of it had, you know, operating systems or firmware that were, you know, not having been upgraded for a while, I think you'll find a lot of that with the control systems out there that had been out there for a while. So we worked with the business to be able to, if they needed to replace the technology, we had, you know, funding to help do that. Or if we just needed the patch to get the device up to speed with firmware operating systems, we, we were able to do that, that took a little longer because I mean, that has to be thoroughly tested out before you roll that out. So you need to put that on and fully test it out before you roll it into production. So that's why I said, I mean, it might take a year or longer to do some of these things. Because when you roll through that you have to be careful how quickly you roll through that stuff.
Bill: Yeah, I'm sure that's a challenging process. Yeah. Yeah. Okay. Well, you spoke earlier. Thank you for giving us those examples, that they're they're not things that are surprising. I mean, you see it in a lot of industrial environments. Certainly, the rail industry isn't immune. You spoke earlier about some of the frameworks that you considered, in the early days when you were at BNSF. And what you applied and building kind of a program there. You know, today, or perhaps when you were an Amtrak? Where do you start? In do know, did you have different frameworks and that you used as a baseline, when you started over, I guess it during your time at Amtrak? Or would you suggest even something different today?
Bill: Yeah, when we were there, we actually started adopting the CIS framework. And we, you know, had signed on to that and started to roll that out, you know, across the IT infrastructure, as well as the OT infrastructure round, found out that maybe the organization wasn't as mature as we needed to, to roll a lot of that out. So we were all back to, you know, the NIST cybersecurity framework on that stuff. So that's kind of I think, where they landed and where they are today, and is measuring themselves against that framework.
Roark: Yeah. Well, it's a it's a good framework, because it's somewhat flexible, and you can work it to fit your environment, I know, that are still using that. And it's it's the best one they've got. You know, as you think about diving into a new area, I mean, are there certain things that I know you talked about the early things that you were doing in the environment to improve your risk posture? Are there certain things that you look for, to get a baseline of just certain technologies in place? Kind of where do you start thinking about, you know, technology-wise, from a cybersecurity standpoint, what's required? What's perhaps optional in the early days?
Bill: Are you speaking around which control systems are necessary and things are you can speak? Are you speaking around the security tools and technologies and so.
Roark: I was thinking more along the lines of the security controls and technologies that you have in place in that environment?
Bill: Yeah, I mean, when I was when I was at Amtrak, we were looking for, we were looking for tools that would help us find automatically find the what was out there, automatically profile or fingerprint, you know, what was out there, be able to give us the ability to see what what, what kind of traffic was going in and out of those devices, and whether or not there were some anomalies going on. And down to the, you know, the very specific raill tech components that are out there, right. And what we've, what we found, before I left was, there's some very, there's, there are some ICS tools out there OT tools out there, but they're not, they're not. They're not defined, or they're not built for the raill tech space. They're really generic OT tools. And they will help you from a high level understand what you have out there. But as far as if you want to get down to the specifics around the rail technology, understanding what the different, you know, switches are doing out there and or the various components of an operational rail technology environment, they couldn't get down to that level, as far as you know, fingerprinting those things, and helping us understand how to manage those things. So there were some challenges there. So, you know, the key to getting your hands around this stuff is being being able to have visibility, first of all, is understanding what you have out there. And then once you have understood what you have out there, just try and understand the posture of those things that are on there. What kind of technology are running on those control systems? You know, is the firmware is a firmware upgraded or not? You know, how old is the hardware, those type of things and being able to understand what kind of traffic flow is normal versus what may not be so much normal? And so we didn't find a lot of technology at that time that would support us at that lower level. There are like I said, again, at a higher level in the IoT space, there are things out there. But as you drill down and get finer grained, there weren't those tools out there.
Roark: Got it. Got it. You were just trying to get beyond being able to or having to do that manually I assume.
Bill: Yeah, yeah. Yes, yeah, we did, we spent a ton of we spent a lot of time doing manual collection of things. And we needed to do that, because we didn't have technology to do that. So we spent, we spent a few months, just actually physically going to all the trackside bunkers, and I was documenting what was in there and taking pictures and but uh, you know, as soon as you capture that stuff, it's outdated, because it's all manually captured. So we did build an initial inventory of that stuff. And then we're able to then risk assess, and understand which, which were opportunities that we need to address, first of all, but there's there just wasn't an opportunity for us to do that in an automated way at the time. Yeah, that's a lot of time in steel-toed boots.
Bill: It is. Yes, it is.
Roark: Now, okay, well, let's shift gears a little bit and talk about the people side of the equation. You know, when it comes to cyber and getting it, especially getting into a new environment, like the operational kind of rail technology environments, where there are organizational things that you had to address in those early days and or new skill sets that you had to bring on or, you know, what was necessary to execute against your charter?
Bill: Yeah, I was given. I was given this I had just a small team, and wasn't given much resource to build beyond that small team. We did We did free up one individual that was 100% focused on the cybersecurity aspects around the control system technologies. And she was primarily interfaced into the business and helping them understand what needed to be done. A lot of the work needed to be done at Amtrak had to be done in the business function because of the way they were set up there. And so she would help them work through that and support them and we did have IT people outside of my team that would help us with looking after directory implementation, whatever. But yeah, so you need to have somebody on your team, obviously, that's focused and and dedicated to control system world understands that. And if they don't understand it can build that skill and to learn, you know what to do there. And then. So that's what we did. I also build up my security operations team at that point that we had an internal Cyber Security Operations team, and built that up a little bit to be focused a little bit more on what was going on in the control system, world operational technology world. Yeah, today, I think, you know, at Amtrak, they have actually invested more heavily in their cybersecurity team. And so they have, they have a whole team of people very focused on rai tech itself. And, and so there's more people focused on that and working with the security aspects of that. So, you know, if minimal, you need one person that's really focused on it. But it'd be nicer to have a team I didn't have a team at that time, I had one person, but we were doing as good as we could with that one person.
Roark: Got it sounds like organizationally, then the big challenge was just having an organization that's focused on the IT part and an organization that's focused on the raill tech part.
Bill: Yeah, there's some overlap. But yeah, you need you need specific skills on both sides.
Roark: Right. Right. Our last guests that we talked to on the show, alluded to the same thing. They have their team separated into two different functional areas.
Bill: Yeah, yeah, it was all. Yeah, exactly. Right. You need to do that, because there are enough unique things in the rail tech space that you won't see in it cybersecurity space.
Roark: Yeah, right. Right. Right. I know, I know, as a CSIO. So obviously, a big part of the job is about communication. You talked a little bit about the fact that you walked into a pretty good position there with not having to do a lot to get buy in. But I know earlier, you talked about being proactive with the operations team and driving collaboration there. And I'm curious, you know, how you manage that part of the process? Building buy in from the operations team, building collaboration, more importantly, probably, with the operations teams, and, you know, are there are there tools or processes or things that you think help get the security organization and the operations teams kind of speaking the same language?
Bill: Yeah, let's tell I mean, it's a challenge, because, I mean, you're walking into that environment. And there's, there's not necessarily trust built up there. You know, the executive level ahead, complete support of what we're doing and, buy-in. And so the chief, the chief operating officer level, at the chief engineer level, I had all the support I needed to go off and do, but you're still stepping into a room of people who are actually doing the day-to-day work, and are managing the day to day workers. And, and there's not well, there's, you know, there's not that trust relationship that you have. And so you have to, you walk in to say, I'm here to help you. And, you know, they're not necessarily thinking they need help. And, and so you have to work you have to walk in, to walk through what you know, what you've seen, why it's important, build there, help them understand the risk, and what we're seeing from a risk posture and helping them understand, you know, what we're seeing from the outside world on ways that people can get in and do things. And it's an education process on on cybersecurity. They're very, the people I was working with at Amtrak on the business side, they were very, very good at managing network. They're very good management, they're their technologies, they keep their functions doing what they needed to be doing. But they're, you know, they weren't necessarily as up to speed on the cybersecurity risk and cybersecurity issues that were out there in the world. So it was helping them understand that and then working with them to start implementing some of these low hanging fruit things to show them that, you know, we're not here to we're not here to badmouth you, we're not here to belittle you, we're here actually to work alongside you and, and make things better. And it took a while. I mean, it just takes a while they have to you have to do things side by side and get things done and build that trust relationship. I think after we did a few things with them, that they began to understand that, you know, I wasn't gonna go up to the executives and say, hey, they did a bunch of bad work. No, I was gonna say that we're working together and we have these initiatives and we're making progress on so .
Roark: Yeah, I think you've probably hit the key is it's about trust and building a relationship. Yeah, yeah. So tell me about the vendor or community and managing and working with the vendor community in the operational environment?
Bill: Yeah, so it is it is a complex world because in some cases, the vendors themselves are doing the work on the control systems, you know, the it's not necessarily the your Amtrak or BNSF, it's actually a third party that actually rolled out the technology or whatever that does that. Getting them to buy into what you're doing as far as rolling out, you know, they’re used to looser access around that a looser ability to get in and help support those technologies that they've been hired to support. So we had to work with them to understand that that wasn't the best way to do business. And help them understand that going through a more secure way to get into the systems to support the systems was a better thing for the company. And, and for them long term. Also, it's a tough, it's a tough thing, because, you know, they, they existed for years, being able to do it the way they wanted to do it, and how they did it and changing, you know, having to change business process for them. But we work through those issues. But yeah, you do have to, you're gonna have some pushback and why we need to do that. And you're making an order on me and so forth.
Roark: Yep, understood. Makes sense. So let's, one final step. I know, in your role, a big part of it is reporting on the value or the impact that you're having on the organization. And curious, you know, how you went about reporting the value of the security programs you were implementing in the operational, raill tech environment? Whether it was to the board, your internal stakeholders, at your level, even your own teams or the operations teams themselves? What did that process look like?
Bill: Yeah. So I got, I got a lot of visibility at the executive level in the company. Yeah, yeah. Well, you know, it was a, I was invited into the every other month board meetings, they had a, they had a board committee that was focused on safety and security. And that was one of the that was one of the discussion topics in that subcommittee. And so every other month, I would have to come in and talk about what we're doing in the cybersecurity space, what we're seeing how we're going about rolling out the initiatives, there's low hanging fruit initiatives, as well as what what the strategy was going to be to fix all these problems, longer term to get past the low hanging fruit, we still needed to think about network segmentation, and automated asset inventory, collection and assessment, so forth. So I would go in every other month and communicate to the board, the initiatives that we're working on the status of those initiatives, how much we're spending, I would also meet with the CEO occasionally also, to talk about, here's what here's some things we're finding. And here's what we're doing about it. And here's kind of the money we're spending and pretty much I won't say I had an open checkbook, but had I had a lot of support from the CEO. And and to go off and do it, we need to address so but we know what came with that then is making sure we report back frequently on what we're doing and showing that we're we're actually being responsible for what we're being given. And we're actually making progress to close the gaps that were found and, and increasing the risk posture for the company.
Roark: Yeah, yeah, it sounds like it all comes back to managing risk again, and reporting on how you're doing that.
Bill: Pretty much. Yeah.
Roark: Well, as we wrap up here, though, I know, time goes fast when you're having fun. Yeah. But as we wrap up a little bit, you know, anything that we might not have touched on that you think is perhaps critically important for somebody in that seat, that you would give as a last bit of final advice.
Bill: I think we've pretty much covered it. You know, building relationships, obviously is hugely important. Getting, understanding your world is key to build to getting the support you need to go off and do what you need to do. I think we've talked through most of the things that we need to worry about. If you if you understand your world and understand the risks that's in the world, you're able to communicate them, you know, what, what needs to be done, what controls need to be put in place, what kind of investments we need to make and either building up the security team or investing in technologies and being able to show the better believe that Right, right.
Roark: Well, that's awesome Bill. So, Bill, if, if someone wanted to get in contact with you, are there any social media platforms or what's the best way for somebody to contact you if they wanted to chat?
Bill: Well, I am on LinkedIn. And out there is William Dunn, Heinrich way Heinrich. I also have an LLC setup for my VCISO business and it's Strong Tower Cybersecurity, don't have a website yet, but I do have an email address, which is William.Heinrich@strongtowercybersecurity.com.
Roark: All right, perfect. Well, Bill, we certainly thank you very much for joining the show today. We certainly appreciate it. I think your advice has been spot on. Fantastic to be able to share your expertise with the folks on our show. That is the end of our show today. So until next time, keep those tracks secure. Thank you.