Vulnerability Overload: Making Prioritization Work in the Real World

Patrick Miller talks with Kylie McLanahan about the messy reality of vulnerability management in OT environments. They dig into the pressure to patch, standardization benefits of machine readability and the CSAF, the limits of CVSS, and how CISA’s KEV list fits into prioritization efforts. Kylie brings insight from across the ecosystem (vendors, regulators, and asset owners), offering strategies to cut through the noise and focus on what matters most. From patch fatigue to risk-based triage, this episode is packed with practical advice for managing cyber risk when time, tools, and resources are limited.

In this episode, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.

In this episode, we sit down with Lesley Carhart (@hacks4pancakes), a renowned expert in OT/ICS incident response and forensics, to explore the unique challenges of defending critical infrastructure against cyber threats. Lesley shares insights into how internal OT teams can better support external IR teams, evaluates global and sector-specific preparedness, and discusses the impact of regulations on effective incident response. We delve into the complexities of defining and reporting incidents, the potential for improved approaches, and actionable advice for those looking to enhance their IR and forensics skills.