From CISO to Startup: OT Security, Leadership, and Lessons from the Field

Written By Patrick Miller

Season 3 - Episode 2

Host: Patrick Miller

Guest: Darren Highfill

In this episode, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.

 

Show links:

Recent Podcasts

Featured
Policy Pulse - Regulatory Roundtable: Cyber Strategy, Large Loads, AI & CISA in Flux
Policy Pulse - Regulatory Roundtable: Cyber Strategy, Large Loads, AI & CISA in Flux

Policy Pulse: Regulatory Roundable is a new monthly feature of the Critical Assets Podcast. Join Patrick Miller, Joy Ditto, and Earl Shockley as they break down the latest policy, regulatory, and legislative changes impacting critical infrastructure, OT, and cybersecurity. If it affects your assets, audits, or authority, we’re covering it, straight from the policy frontlines.

Policy Pulse - Regulatory Roundtable: NERC CIP, Cybersecurity Strategy, AI & Electric Sector
Policy Pulse - Regulatory Roundtable: NERC CIP, Cybersecurity Strategy, AI & Electric Sector

Policy Pulse: Regulatory Roundable is a new monthly feature of the Critical Assets Podcast. Join Patrick Miller, Joy Ditto, and Earl Shockley as they break down the latest policy, regulatory, and legislative changes impacting critical infrastructure, OT, and cybersecurity. If it affects your assets, audits, or authority, we’re covering it, straight from the policy frontlines.

Vulnerability Overload: Making Prioritization Work in the Real World
Vulnerability Overload: Making Prioritization Work in the Real World

Patrick Miller talks with Kylie McLanahan about the messy reality of vulnerability management in OT environments. They dig into the pressure to patch, standardization benefits of machine readability and the CSAF, the limits of CVSS, and how CISA’s KEV list fits into prioritization efforts. Kylie brings insight from across the ecosystem (vendors, regulators, and asset owners), offering strategies to cut through the noise and focus on what matters most. From patch fatigue to risk-based triage, this episode is packed with practical advice for managing cyber risk when time, tools, and resources are limited.

Patrick Miller https://www.patrickcmiller.com
Previous

Vulnerability Overload: Making Prioritization Work in the Real World
Next

Critical Conversations: IR, Forensics, and Regulation in OT