Welcome to the Policy Pulse Panel, a new monthly series within the Critical Assets Podcast. Hosted by Patrick Miller (Ampyx Cyber), Earl Shockley (CEO, Inpowerd), and Joy Ditto (CEO, Joy Ditto Consulting), this recurring panel dives into the most significant policy shifts and regulatory developments impacting critical infrastructure, operational technology (OT), and industrial cybersecurity. Each month, we unpack emerging legislation, agency actions, and standards updates - connecting the dots between policy and the practical realities faced by asset owners, utilities, vendors, and government partners. If you're trying to stay ahead of your auditors and your legislators, this is your monthly must-listen.

https://ampyxcyber.com/podcast/policy-pulse-regulatory-roundtable-nerc-cip-cybersecurity-strategy-ai-electric-sector

In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS.

The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness.

This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments.

Links:

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities

CISA vulnrichment: https://github.com/cisagov/vulnrichment

Vulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7k

CISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc

Carnegie Mellon SSVC: https://certcc.github.io/SSVC/

CSAF: https://www.csaf.io/

VulnCheck KEV: https://vulncheck.com/kev

Kylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/

Bastazo: https://bastazo.com

In this episode of the Critical Assets Podcast, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.

Show links:

• Darren Highfill LinkedIn Profile - https://www.linkedin.com/in/darrenhighfill/
• NIST Cyber Security Framework (CSF) - https://www.nist.gov/cyberframework
• Ankrd website - https://www.ankrd.com/