Ep 29: Defending the Railroad: AI Risk, Rigor, and Resilience with CN CISO Vaughn Hazen

Evan Reiser: Hi there, and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders leverage AI technologies to stop the most sophisticated cyberattacks. In each episode, Fortune 500 CISOs share how AI changes the threat landscape, real-world examples of modern attacks, and the role AI plays in the future of cybersecurity. I’m Evan Reiser, the founder and CEO of Abnormal AI

‍Mike Britton: And I'm Mike Britton, the CIO of Abnormal AI.

Today on the show, we’re bringing you a conversation with Vaughn Hazen, Chief Information Security Officer at the Canadian National Railway Company. 

CN is Canada’s largest rail operator and the only one that spans the Atlantic, Pacific, and Gulf coasts, running over 20,000 miles across North America. 

There were three interesting things that stood out to me in our conversation:

First, at CN, deepfakes aren’t a hypothetical risk. Vaughn’s team actively prepares against these modern impersonation attacks through tabletop exercises. 

Next, defending a century-old railway with both legacy systems and modern cloud-native stacks requires a dual-security model; tailored protections for (on-prem and modern environments) working side-by-side.

And finally, one of the more unique use cases Vaughn highlighted involves an AI-powered chatbot that keeps asset inventories accurate and current, automating a task that would otherwise require tedious manual follow-ups.

Well Vaughn, thanks so much for joining us. I've been looking forward to this episode. To start, can you give our audience just a brief overview of your career and your current role at CN?

‍Vaughn Hazen: Yeah, sure. So I started out really coming out of the army, went to get my electrical engineering degree, started out as a telecommunications engineer. I started working around some phone fraud things that came up through that process. I started reading 2600 magazine, getting involved in some of the phone phreaker at the time activities and learning about what they were doing there. Started putting out some of the first networks that we had at some of the organizations I was involved with, wide area networks and connecting to the internet, starting to deal with some of the challenges that came with that.

And when I was at one of the larger chemical organizations that I worked for, we were reviving the internet connectivity. And I had a conversation with the corporate information security officer at the time about where we would put the intrusion detection systems and how we would place that in the network. And she disagreed with me. We were kind of loggerheads for a bit, but her consultant said, no, he's right. And so she said, okay, you're part of the cyber security team. And that's how I got pulled into cyber. Um, did that for a few years there and had an opportunity to go to a mining company as their first CISO, um. Built out the program there from scratch. then, you know, kind of felt like, uh, I was in a good place there and had an opportunity to come up here to, to Canada and Quebec and I couldn't pass that up. And so I've been here for almost six years now.

Mike: You know, one of the things that, you know, I like about this podcast and this job is getting to hear about some very unique companies and what's different and learning a little bit about organizations that I probably didn't know much about prior to that. So for our audience who might not be aware, can you kind of give the audience a good understanding of CN?

‍Vaughn: Yeah, so CN's a freight railroad. We operate in North America. We have about 20,000 track miles. And what's unique and interesting about the railroad is it's kind of almost like a telecom company because you have basically a continuous network that crosses from the West Coast to the East Coast in Canada down to the Gulf Coast in the US. And of course, a bunch of little branches off of there. So it does bring its own unique and interesting challenges.

Mike: Given the size and the scope and the breadth of the areas you cover and the rail lines and the employees and all of that, is there something with your cybersecurity program that may be unique to other organizations or maybe even other industries? Maybe what's something unique about the CN cybersecurity team or some of their use cases that others might not fully appreciate?

Vaughn: When you look at, you know, cyber organizations, they kind of get built up around the particular organization that they're a part of. And so you kind of match up against what are the unique and interesting challenges of that business or organization. And, you know, some of it may be just the structure of how they're built out, you know, whether they have a significant cloud presence, whether they're dealing with more of an advanced technology approach or whether they're kind of more conservative in that, you know, so you really kind of align to whatever you're a part of. And it's interesting with the railroad because we're a hundred year old company. 

We've got some systems and technologies that are a little bit older. We've got some systems and technologies that are kind of leading edge. And so we've got a mix of things that makes it kind of unique. And we've got to deal with the challenges of, you know, the on-premise legacy technologies, along with, you know, some cloud leading edge, cloud native stuff that we're working towards. And so we've got kind of a two-tier security approach that makes it a little bit unique and interesting for my team to deal with.

Mike: And with a hundred year old company and a lot of, I wouldn't say low tech, but you're also dealing with the physical side of things of transportation, how do you transform with AI and cloud and new technologies? I'm sure it's a fascinating world where you probably have some very old legacy technology, probably have a lot of tech debt that is sometimes difficult to quickly migrate off of. But where is AI and cloud playing a role in CN?

Vaughn: I think that when you look at AI, so AI is a broad term, you know, and when you think about like machine learning, we leverage machine learning in our automatic track inspection portal. So we've set up these portals. They've got video cameras, high speed, high definition video cameras that are capturing a lot of data as the trains roll through those portals. And then we've got some machine learn models that are set up to help find challenges and issues with that train as it goes through. And it's a safety oriented aspect that is really designed to help us avoid derailments and unplanned outages and those kinds of things that may happen with defects in the trains. 

We've got some other things that we're doing in relation to trying to optimize the way that we operate our yards. And that's a cloud native solution that we're leveraging there. There's some other things that we're looking at in terms of how do we do more efficient and effective coding. And of course, everybody's leveraging those kinds of capabilities now, to advance their capabilities there. And then there's some things that are built into the tools that we already buy.

Our endpoint protection leverages some machine learning. There's a lot of things that are going on with that kind of effort that, so we're all getting touched by it in one way or another. What does that mean for my team? It means that I've got to upskill folks, I've got to work with, you know, some new approaches to the way we do security. You know, we're always advancing and trying to figure out how we can do this better. Because, you know, to be frank, you don't get increased budgets just because life gets a little bit more difficult. You've got to find ways to be more efficient and effective with what you've got. And so, you know, that that's part of what we are always trying to deal with.

Mike: And how does your team, you know, because one of the challenges I've always had and seen is the business sometimes runs faster than IT and sometimes runs faster than security. And some of those boundaries are a lot easier for them to hop over with cloud and AI. How do you stay up with your business when they're wanting to transform?

Vaughn: The thing is, is we are a regulated business. You we do have some things along those lines that push us to do things in certain ways. So it's not a free for all. It's not quite like that. You know, certainly the business has requirements and demands and, you know, they have timelines that they're trying to drive to, and we need to adapt to that. 

Part of that is in the adoption of AI and how do we do that in a way that doesn't hold them back, but still protects the organization, protects the data, makes sure that we're in a position that we're not gonna get ourselves into more trouble by addressing some technologies that frankly we're just not ready to deal with. 

So, you know, it's there's there's processes that you have with procurement. There's, you know, some things that you do in terms of your third party risk assessment approaches. There's things that we do with our integrated risk management. All of that's designed to help us position ourselves to where we are securing those, those approaches of trying to move fast and still support the business.

Mike: I want to switch gears and get your thoughts on, you know, any technology out there while we can use it for good. Some attackers, some bad guy can also use it for bad. Where do you feel like the threat landscape is changing today with attackers being able to use AI and how easy it is for them to to be able to generate some pretty powerful stuff either through, you know, AI coding or just AI in general

Vaughn: I think what, what you're seeing is that there's the ability to rather quickly and easily impersonate others. You know, whether that's voice video, you know, there's, there's the possibility to do that and fairly convincingly, we're seeing that play out with, with, you know, the the Secretary of State of the US being impersonated, trying to reach out to different leaders across the board. You're seeing it play out with fraud attempts. You're seeing it even with attacking individuals, pretending to be family members with some kind of recorded voice that they then are using to leverage, to pretend to be somebody else and say, hey, I need money, you know, and really leveraging that to amplify their pretext and to really socially engineer somebody into handing over cash. So, you know, that certainly is happening.

We've actually done some, some tabletop exercises, leveraging deep fakes as, as part of that process. You know, it really gets down to making sure that you have the right processes in place to be able to counter that type of fraud and impersonation, you know, so if you've got strong processes, it can help overcome a lot of those types of, of impersonation, deep fakes.

So you're seeing that, you're seeing them leverage capabilities. So previously you'd see phishing email with typos and errors and grammatical problems and so on. With the generative AI, it's easy to write a phishing email that is fairly convincing, even if it's not in your native language. You can do something that maybe takes some information about somebody that you know, so you can say, write it as, you know, an individual so it really sounds like their written voice, you know, everybody has their own style and that can come across fairly easily.  So, you, you're seeing the ability to leverage those tools to do things that, you know, if you're of a nefarious mind, you can leverage it that way. 

So yeah, it does create some challenges. But again, this is where strong processes come into play and recognizing that it's not new for people to try to do these kinds of things. And it's just that they're a lot more convincing than they used to be. And again, if you have strong processes and if people are adhering to those processes, you can still overcome it, but it is definitely a lot more convincing than it used to be.

Mike: Yeah, no doubt. Are there any, you know, exact use cases or specific examples that stick in your mind? You know, it's always easy to talk about the theory and figure out and kind of pause it where an attacker could, but is there anything that you either heard from your network or your community where you're like, that's a pretty scary attack from an attacker. You know, I can definitely see how they're using AI or they're using new tactics to perpetrate fraud and perpetrate cybercrime. 

Any specific examples you can think of?

Vaughn: So, one clear example is you should not enable somebody to just send a message to change banking information. If your system works like that, you've got a real problem. You should always have a process where they're contacting the individuals directly to validate that information, leveraging information that they already have, contact information they already have on hand, not obviously something that's at the signature box of an email that they just received, actually going in and validating that process for changing banking information. For making payments, there's a whole process around, you know, you should have a PO already existing, they should have a reference to that. It should have approval processes, all of those kinds of things that need to be in play for your process.

And yeah, okay, it's a little heavier to do that. But if you take away the ability for some individual to be fooled, and then that resulting in significant losses to your organization, I think that's well worth that additional layer of overhead to work through those processes.

A lot of our processes, there may be notifications via email, but you don't work through the process in email. It's just saying, hey, you've got something you need to go approve or you've got something you need to review. Email should be a notification, not necessarily the process. 

And the approval, you have to make sure that, you know, for example, you're not allowing web access without multifactor from the internet to go in and do approvals. There's validations in that so that you're using things like conditional access and whatnot throughout those processes. 

Those are all key to making sure that you've got a secure process that, even if it's a callback as part of that process, there's just gotta be a robust process that makes it very, very difficult where you're gonna have to be able to compromise a slew of people in order to really breach that process and gain from overcoming that. So, that's a key factor for it.

Mike: Do you think there's a technology area that is ripe for either kind of re-imagining, rethinking, or is in need of lot of some uplift and upscale and where AI could be extremely helpful in that space? Like where's AI not being used today that it would be really needed and super effective?

Vaughn: I think that there's a lot of opportunities. You know, I'll share with you, you know, something that I saw a presentation that somebody was doing where they're, they're leveraging a chat bot to update their CMDB. You know, so for the asset management, which is really key for us in cybersecurity that we know who's running something, what's operating on it, how important that is to the business. Those kinds of things are not always kept up to date in the CMDB. 

And somebody was leveraging the capabilities where they used a Teams chatbot that was coordinating with some other stuff that was going on in the background where it would say, okay, we see this individual has signed on to these other servers that look like this one and are running similar applications and generates a chat with this individual on Teams that says, hey, I'm 90 % certain that you are the owner of this device. Here's why I think that. Can you confirm? And if not, do you know who you think it belongs to? And if they say yes, then update the CMDB, that's the owner. And then you can align some information about it from there. And if they say, no, it's not me, it's somebody else, then it goes in and communicates to the other person and says, hey, so-and-so said you are likely the owner of this box. And here's why we think that's 80 % true or whatever.

And really just going in and updating that stuff automatically and something that, for somebody to go out and we'd have to hire a bunch of interns to go out and chase people down to get that updated. And that would be a one-time effort and it wouldn't keep things up to date. So that kind of thing is unique and interesting. 

There's other opportunities where we can leverage it again, as I mentioned, in terms of correlating the events that we see, trying to highlight whether we've got something that we need to dig deeper on, just bringing that information so the analysts don't have to chase things down and then they can analyze it quickly and move on. So there's a lot of opportunities for us.

Mike: You can hear varying difference of opinions on what's the impact to the workforce in the future, especially in cybersecurity. And you also have those that talk about the shortage of cyber professionals. And there's a gap there. What do you see the true impact of AI on your team and cybersecurity professionals in general over the next couple years, five years, what do think it's gonna do?

Vaughn: Well, I think the key thing that we have to remember, especially with a lot of the generative AI tooling, is that it's not something that works on its own. You've got to have people that are knowledgeable in the particular arena that can understand that output and say, first of all, does this make sense? Are we seeing a hallucination? Really kind of put some critical thinking against it before they just go with whatever the tool tells them to do. I think that's a key factor that you're have to look at across the board. It's not something that's just gonna operate independently and we just let it go. I think that's one thing. 

The other thing is, I don't know that we have necessarily a shortage of cybersecurity workers. I think what you have is a shortage of key talent. And that key talent is really important for being effective. And what you will see is that there's going to be a capability for that key talent to scale a little bit better using some of the AI tooling that we're going to make available. But at the same time, as we migrate some of these more basic tasks over to AI and take away some of the entry level work that you're going to start to damage the talent pipeline for the future in terms of developing people. Because a lot of times you give new people that work that maybe isn't all that exciting, but kind of starts to give them visibility into how everything goes and they can start to develop and understand patterns that they're seeing and better understand what it is, the work that we do, why we do it, why it's important and how it all works together and help them to maybe recognize some of the things that, yeah, this is something that's a true positive or something as simple as, hey, it's not good enough to just contact the person who's account it is and say, hey, did you do this or not? But you have to take a thing of, okay, yeah, they did it, but what they're saying doesn't quite make sense to me in terms of why they did it. Maybe there's more to this than what they're letting on and I need to dig a little bit deeper in this, or whatever that case may be. You've got to develop some of those skills over time. And so if we're just taking, you know, top talent and putting them at scale with AI, then we're not building that next generation of talent.

Mike: We have about five to 10 minutes left and we do this thing at the end of the podcast where it's a kind of a lightning round where I've got a couple different questions and this is the one tweet version, you know, nothing long, just kind of your quick take on each of them. You know, kind of looking to be inspirational and just get a little bit deeper insight to what's on your mind around some of these topics.

So first one, someone stepping into their very first CISO job and they come to you for advice. What's the one thing you would tell them to not underestimate or overestimate about the job?

Vaughn: I think the first thing I would say is understand the expectation of the organization you're going into and make sure it aligns with your view. So if you don't know what's expected of you, or if you don't align with that view of what's expected to you, then you're not gonna be a good fit for that role.

Mike: Alright, so there's so much going on with technology. It changes, it seems minute by minute sometimes. How do you stay on top of all the new technologies that are coming out here and all the threats? It's like it's information overload. Are there particular websites, podcasts, Twitter handles? Like, where do you get your source of information from?

Vaughn: I would say that first of all, if you're trying to do it alone as a CISO, you're never gonna succeed. I do not try to do everything myself. I've got a great team and I lean on them. So they've got particular areas of expertise. They have a focus there. They're the ones that are understanding and developing what they need to know about that. 

For myself, I engage a lot with my peers at different venues. I work with government entities. I was just spending two days with the Business Council of Canada over the last two days, working with the government, trying to understand what they're seeing, what's important to them, how do we work better together. Those kinds of things really put me in a better position to do my job.

Mike: That’s great. Any favorite podcasts or websites to throw in there?

Vaughn: Well, I will say that Kim Jones has a good one. I would go out and listen to him any day.

Mike: Excellent, thanks. Alright, so on a more personal note, what's a book that you've read that's had a big impact on you and why? And it doesn't necessarily need to be work.

Vaughn: I'm going to refer back to an oldie, but a goodie. I think The Seven Habits of Highly Effective People is is still one of my favorite books. You know, there's key principles in there like the law of the farm. You know, you can't you can't plant the seeds and expect to harvest in the same day. 

You know, so I think that when you apply that to what we're doing, you know, a lot of the stuff that we do to prepare for a potential event is stuff that we've got to be doing in advance. It's stuff that we've got to be training on, you know, and then the results come later. But it's that kind of principle that you can apply there and they're all in that book. So I love that book.

Mike: Yeah, there's a reason that's a classic. That one's on my bookshelf at home as well. All right, so we may have a listener that, know, our listeners that are either thinking about getting into cybersecurity or new to the profession. What's one thing, like what's one piece of advice or what's something that you would want to share to inspire that next generation of cybersecurity professional?

Vaughn: I think, first off, become an expert in something. Whatever it is, become an expert in that. Cyber security is really broad. And if you try to do everything at once, you're gonna be a jack of all trades, master of none kind of thing. I think it's important to have a level of expertise that you build as a foundation and go off of that. That's one thing. 

The other thing is, is you don't have to start out in cybersecurity. You can start in networking, you can start in development, you can do some other things that give you skills that you can then build upon and maybe get some cybersecurity certifications in the background, but have some other experience that you can then apply and make it meaningful. So I think that when you come out and you say, well, I got a degree in cybersecurity. I'm ready to go, you know, get the big bucks. It doesn't work well that way. And, you know, you're not, you're not as likely to be as effective.

Mike: All right, last question, I promise. What do you think will be true about the future of AI and security that most people today would consider complete science fiction?

Vaughn: I'm probably sitting on the science fiction seat. Look, I think there's a lot of hype about what we're going to see. I think there's real benefit in things like the machine learning and things of that nature. But I think there's also a lot of hype about what we can and can't do with some of the generative AI. And we're going to see that it's not everything that people have made it out to be. 

I think that you can't get away from the fact that it takes effort to make something work well. And machine learning is not something that, it's like the law of the farm. It's not something that you just go enter in a prompt and boom, you've got everything functioning great. It's something that takes a little effort. You've got to have models. It takes a little work to get there. And I think that for anything meaningful, it doesn't just happen by happenstance. You've got to put some work into it.

Mike: Vaughn, once again, I really appreciate your time today and thanks for all the insight and the experience that you shared with us and thanks for being part of the podcast. Appreciate you.

Vaughn: My pleasure, Mike.

Mike: That was Vaughn Hazen, Chief Information Security Officer at the Canadian National Railway Company. I'm Mike Britton, the CIO of Abnormal AI. 

Evan: And I’m Evan Reiser, the founder and CEO of Abnormal AI. 

Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog.

This show is produced by Josh Meer. See you next time!