Sign up to get updates from us
In this episode of the Candid CISO podcast, Co-Host John Donovan interviews Carlos de Leon, CISO at the Washington State Department of Revenue. They discuss various topics related to cybersecurity leadership and strategy, including the challenges and...
In this episode of the Candid CISO podcast, Co-Host John Donovan interviews Carlos de Leon, CISO at the Washington State Department of Revenue. They discuss various topics related to cybersecurity leadership and strategy, including the challenges and rewards of the CISO role, the importance of compliance, and the need for strong communication and people skills. They also touch on incident response and threat management, highlighting the lessons learned from the CrowdStrike incident and a cloning incident at Carlos' agency. The conversation concludes with a discussion on the impact of technology and organizational factors on the CISO role, as well as Carlos' personal career journey. Also in this conversation, Carlos shares insights and advice on thinking creatively, his early hacker days, and career development in cybersecurity. He emphasizes the importance of an adversarial mindset and thinking outside the box to solve problems. Carlos provides advice for those looking to enter the cybersecurity field and become a CISO. The conversation concludes with a discussion on Hacker Summer Camp and the importance of networking and community in the cybersecurity industry.
Segments
TrustLogix is a sponsor of the Candid CISO podcast. Visit their website at: https://www.trustlogix.io/candidciso
Candid CISO is produced by Nonconformist Innovation Media
For show notes, links, and more episodes visit https://www.candidciso.com
John D (00:01.248)
This week on the Candid CISO podcast, have a great guest, Carlos de Leon, the CISO for the Washington State Department of Revenue or DOR is joining us for a candid conversation. Let's just start out with a little icebreaker. You know, I found out during our discovery call, Carlos, that we both had an early introduction into computers, kind of both from the builder side of things and the breaker or hacker side of things. You consider yourself more of a breaker or a builder.
Carlos De Leon (00:28.544)
These days I'm more of a builder. I like to say I like to build community.
John D (00:36.27)
that's a great way to do it. you know, coming from kind of that deep technical background, and we'll cover some more of that, you kind of helps you, I think, when you get into the people side of things. So yeah, let's go ahead and dive in. You know, the first area I'd like to talk about is in your CISO role here around cybersecurity leadership and strategy. And I like to start off with one question, which is, what do you love about what you
Carlos De Leon (01:02.974)
Well, I love the challenge. I love the puzzles, the variety. In my career, I've gone from lowly help desk to desktop support to sysadmin. And the days that I felt the most bored was when it was the same old, same old, know, closing tickets, the same old work. So I love the challenge. I love being challenged with new ways of creative
John D (01:30.934)
I guess the flip side of that, and it sounds like you enjoy a challenge. What do you find kind of the most difficult part of the CISO job that you've got?
Carlos De Leon (01:40.764)
Yeah, currently the most difficult part. Well, I wouldn't say difficult, but it's the most challenging is the compliance side. I find it frustrating, but also I recognize that it's necessary. So.
John D (01:56.029)
I got you there. Well, we'll, we'll definitely be talking about some compliance aspects of the job some more. I mean, think maybe to start things off a little bit, let's talk a bit about your responsibilities there as you know, the CISO for a public sector agency company and, you know, what are the things that, that you're working
Carlos De Leon (02:15.714)
Well, as CSO, I currently have two teams underneath me. have a security operations, which is our response and the DR incident response group, the defenders. And then I have a GRC group, our governance compliance.
John D (02:33.45)
Risk. Yeah, there you
Carlos De Leon (02:34.188)
risk and compliance. We actually rebranded it to the ACE team, architecture, compliance and engineering. Because it just sounded better, the ACE team instead of GRC. So those are the two teams underneath me. When I joined security, I rose to the ranks. I started as a risk analyst and then got promoted to security architect and then security supervisor and finally CISO. So
gone through the compliance side of the house. When I was an architect, I tried to get as much involvement with the set cops as I could to learn their day to day, their tooling, you know, working the SIM, working our patch vulnerability management program. So I'm trying to be a more hands on CISO than my predecessors. We'll get into that, but there I found a list of the six types of CISOs and I want to be the more face of security.
more involved in. I'm told as a new CIS I can't be hands on keyboard, I those that was one of my hesitations with taking a management role is losing that cutting edge finger on the pulse. And I'm trying to hold on to it as much as I
John D (03:54.412)
I think that's always a challenge, but as you said, there's so many things to do and I definitely like your, your kind of rebranding and the GRC too and ACE team. It's always good when you can make your team feel good and also, you know, potentially get some good internal branding and stuff like that. I kind of speaking to that, you know, how do you feel like your leadership style has developed both as you've been moving through those different jobs and then you were kind of in the private sector before. I'm sure there's some differences from private to public sector.
Carlos De Leon (04:19.138)
Yes.
Yes, yes. Things changed when I switched to government. One of the things I like to say is that I don't have a board or stockholders to respond to, but I now have taxpayers and residents to respond. So our motivations are different. It's not the dip in the stock. It's in the optics, know, wasted taxpayer money. mostly our motivation is to stay out of the newspaper, stay out of financial fees, you
punishments for a breach or something like that. So it's a different world a little bit. We won't go bankrupt and go under next year. So those are the interesting observations I made, but how my style, I like to be like, you spoke to my technical background and my history and, you know, I have a hacker background we'll get into, but I like to see the limits of what
playing with what I'm working with. So I embrace technology. The cutting edge, I'm playing with IoT when it came out, I'm playing with chat GPT and all the new generative I's and stuff. I'm not like my predecessor who said, no, it's too risky. We're not going to get into that. I hear these stories of CISOs who use flip phones because they're afraid of technology. I'm like, no, give me the latest, greatest cutting edge. I want to see what I can do.
to break it, what its limitations are, what its possibilities are. I have a very paranoid firewall. I block all the telemetry for my devices calling back to the mothership. So I know what they're doing. I can see all that on the network. So I feel like I'm a more hands -on again, CISO, than the traditional risk averse CISOs that I've come across. And not to say they're all the same, but there's different levels.
Carlos De Leon (06:17.022)
Going back to that list, there's the, if I can find it, I'll reference it, but there's off the top of my head, there's the post breach CISO who comes in and cleans up the mess. There's the status quo CISO who keeps everything going the same direction. There's the entrepreneurial CISO who works with the latest and greatest. He's got the budget and the support to buy everything. What was the, the compliance CISO, which according to that list is where I'm supposed to be. Cause I'm, I'm heavily regulated.
I'm regulated by IRS for FTI, Federal Tax Information. I have other compliance, mixed bag of compliance, so I need to be able to check those boxes and fill those questionnaires and audits.
John D (07:02.88)
Well, it's definitely combining all of those different types of CISOs into the right one that's going to work best for you. And it will definitely get into some of the incident response. It's interesting that, you you've got both the, lot of regulatory stuff and I'm sure as the DOR, you're probably a pretty attacked site as well in some cases, right?
Carlos De Leon (07:20.462)
Yeah, yeah, we're highly visible and we're definitely the crown jewels. know, we collect the revenue. If I'm recalling my numbers from last year, I think collected about 28 billion around there, almost 30 billion in revenue. So I'm sure we're a juicy target for somebody. Yeah.
John D (07:40.804)
I guess as part of that kind of leadership style and strategy, as you mentioned, you've kind of come up through the ranks and we'll get into career progression a little bit later here too, but moving from kind of being a peer with some of the folks that are now on your team, assuming folks have stayed there, how has that transition worked and what are the things that you might advise other folks that could be going through that same type of path?
Carlos De Leon (08:05.538)
Yeah. Well, to be honest, a lot of not a lot, but one of the essential skills is obviously the people skills, being able to be a public speaker communicator, being able to tell the story of security, not technical numbers and, you know, jargon to the execs. Some of my team have told me, know, bluntly, I'm not a people person. I don't want to be a manager supervisor. I want to do what I'm good at and I'm happy here. So I want to keep them happy. Obviously, I work on.
advocating for keeping them, you know, well paid as much as I can. But that skill set of having the people skills, I think is essential nowadays. The modern landscape of a CISO is not just the checkboxer. Now we have to be the CISO who has to respond to public inquiries about a breach or what happened or be on the hook for, you know, findings and stuff. The stories, solar winds and...
you know, all those cases in the news. Yeah, yeah. So my role now is more of being the face of security and being in part protecting my team from being too overly tasked, but also being the representative that everybody needs. One of the findings, one of my observations is that security is not always in everybody's top of mind
John D (09:06.538)
we're going to get into that. going to get into some of the tier in a little bit here.
Carlos De Leon (09:33.528)
Having that background and knowing a lot of users are not technically savvy, you forget when you spend your day in IT and IS that that's not always the case. So normalizing that security is everybody's role and job. And I think that's one of my goals to get out there and get more security awareness and more buy -in from frontline workers.
John D (09:57.38)
That sounds good. And I imagine there's different challenges with kind of, you know, some of the government employees and other things like that. In fact, our next topic, which is going to talk more on that kind of security operations, the incident response, the threat management areas. You know, the recent CrowdStrike incident has highlighted how vulnerable every sector of our global economy is to the centralization of infrastructure, including some of these critical security components. Are there lessons that...
Carlos De Leon (10:17.25)
Yes.
John D (10:24.106)
You know, you can share, learn from this CrowdStrike incident or, you know, other significant security incidents, responses that you feel comfortable sharing with our audience here today. We're looking for the candid conversations. We know there are some things that, you know, you can get candid enough, right?
Carlos De Leon (10:33.602)
Yeah.
Sure, sure. Well, there's always lessons. You never allow an incident go to waste. You want to use it to push forward your initiatives, your agenda on security. For this one, my takeaways from my agency was the layering and the out -of -band communication. One of the things we talked about is if we weren't majorly impacted, we had a small impact that we resolved within a couple hours, so we weren't down.
but other agencies in the state were definitely heavily impacted. So what we talked about in our management meetings post event is like, what will we have done if this happened to us? If it was another vendor that had locked us out of our laptops, blue screened all our employees, how do we communicate with those employees? How do we tell them that they need to bring it in or reboot it? So that had already been on my tabletop injects, having an out of band communication discussion.
but this just brought it up to the top. And then the other one is like layers, like how do you have your security architecture so that if one system fails, you have something else to shore up that protection. In this case, it was a blue screen, other scenarios, if your endpoint is breached or broken, how do you protect the data? How do you protect your account? Do you have MFA enabled? Do you have encryption enabled? There's multiple things that you could apply.
that are basics, basic security hygiene to protect and mitigate against one failure. When you get into the domino effect where things fail in multiple scenarios, well, then that's a much broader discussion.
John D (12:22.622)
I've got you there. Luckily for me, my current startup is pretty small and all Mac based. So we didn't really have any Windows situations to deal with for this current one. Although definitely had some out in the past. I mean, I guess the couple takeaways I'm getting from what you're talking about there is.
Even if you're not impacted, definitely make use of it as a way for you to, or if you're minimally impacted, take advantage of that both for your internal team and to talk about the need for planning ahead of what future incidents may need to be.
Carlos De Leon (12:55.8)
Yeah. I have, I have a scenario for you. If you're a Mac shop, one of my senior sea levels, his, he lost his phone at a conference, dropped it in the ocean and turns out it was his only eye device. So he cannot, he can't recover because his MFA goes to the eye device and he doesn't have that anymore. It's all the ocean. So do you have a secondary authenticator on the, Apple ID to recover in case of that device
John D (13:11.155)
John D (13:24.376)
That's a great point. think we get dependent on these different ecosystems, whether it's Google, Microsoft or Apple. And I definitely feel like they're improving some of the built -in security, but we always have to layer stuff on top. guess, sticking around to the incident response area, any other kind of, again, juicy incidents where you can change the names of the guilty or the innocent, any lessons learned you want to share from there? And again, it can be from...
any point in your past here for the bit if you'd like to share.
Carlos De Leon (13:57.036)
I think it's, yeah, we had an incident last year. I think it's already in the news. So it's not confidential, we had, no, we're not breaking any. We had an incident where a bad actors cloned our citizen portal. We call it SAW, secure access Washington. It's a front door where you log in and then you have access to government services. They cloned the website
John D (14:04.662)
We're not breaking it here on the Candid Cisa podcast.
Carlos De Leon (14:24.876)
paid Google ad dollars to have their fake sites put at the top of search results. And so they were harvesting legitimate taxpayer logins on their fake sites. We happened to have MFA enabled. And what they had figured out was a man in the middle solution where they would collect the MFA on their fake site and feed it into the legitimate site. And, you know, MFA defeated. So there was a lot of lessons learned a lot of
for me, for my agency, our lessons learned is we need to communicate to the taxpayer anytime there's a change in the account. So what the bad actors were trying to do was change the bank routing information so they could get, right. They didn't do their homework. We are not a refund state. We're a sales tax state. We're not an income tax state. So they basically just took over payment accounts. When we try
John D (15:10.39)
Get the refunds back or whatever that kind of stuff. Yeah.
Carlos De Leon (15:23.8)
take payments from their bad actor accounts, failed. But things like that happen. And like I was saying, your layered protection may not always hold up. We had MFA. We had followed best practices. We had compliance there, but it failed. So the lessons learned is like, what more can you do to prepare for that and communicate that? It helped with an enterprise -wide response, which was statewide.
how did we respond instead of just an agency level response? And that's a quite a different ball of wax when you have to coordinate with other partner agencies and the attorney general and state IT. So it got complicated very fast.
John D (16:10.396)
It sounds like you had to not just deal with it kind of for your own agency there, but all the allied ones and that's an interesting one. The attackers are definitely getting more sophisticated. Like you said, putting stuff in front and I guess in the end, just like a lot of things with employees and workers, with your consumers and the members of the public that are your...
Carlos De Leon (16:19.949)
Yes.
John D (16:34.07)
customers, you know, it's how do you get them to know, go to the state site. Don't just click on the Google ad link or, something like that. Right.
Carlos De Leon (16:42.37)
Yeah, yeah. And how do you normalize the...
Carlos De Leon (16:50.486)
Sorry, I'm thinking something else. The expectation there is, is that really a breach? That was a conversation we had at the very beginning. Like, is this really a breach? Because none of our systems were like breached and there wasn't a break -in. The problem is on the end user side. The end user is willingly giving up their credentials. So it was a very difficult conversation to have with legal because they were like, it's not a breach, we don't have to report it. And I'm like, you do have to report it.
just for the optics alone, right. And we did, we did end up doing the right thing, but my, know, when, when that gets to that point where it's like, well, you semantically trying to figure out, was it a breach or not? It doesn't matter. You got to do the right thing and help the end user. You fight for the user. you know, I know I work for an agency. work, if I was in private sector, I worked for the company, but you know, that, that is my ethical.
moral compass, I will fight for the user. I'm not there to figure out the loophole to get out of reporting.
John D (17:55.908)
I think that's a great approach to take and you want your legal advice, you want to make sure that things that are there. like you said, especially if it's something that's known, I know in the past I've had to deal with breaches and one case working as the CISO for Malwarebytes, Marston, who's the founder, had made that call even though with one incident it was not.
something that legally required disclosure, was the right thing to do for kind of the community overall, the security community, and then to make sure that our customers were happy. So it sounds like that's an informed, that sounds like the approach that you took on this one.
Carlos De Leon (18:29.868)
Yeah, more and more we see that that the agent, the company's vendors who get breached, who are transparent about what's happening, have the better recovery time than those who stonewall and hide what's happening and how the recovery is going. You want to be as transparent as you can with your end users. It's it's critical for that trust because you're already losing trust because you had a breach. You immediately have to try to rebuild it back by being transparent as much as you can.
I had a great conversation last year with some colleagues about, excuse me, about when it comes to making the decision about what to do during a breach or an incident, it doesn't have to be a breach, but any incident, when it rises to the level where you have to call in the Calvary, you have to call in your cybersecurity insurance, for example, you may not have that choice to decide when the insurance gets involved. They already have a formula of how much it's going to cost to clean
they may pay the ransom if it's ransomware, for example, and that choice may be out of your hands. So, you you may have this pre -planned idea of how you're gonna respond to something, but it may just not be what happens because if you're gonna use that cyber insurance, you have to follow the insurance guidelines. And we talked about the legal quandary that puts you in because if the ransomware is for some sanctioned country, you
Russia or what have you and the North Korea and the insurance pays the ransom. Yeah, are you legally held accountable for that? You've violated federal sanction laws. There's a lot to think about. There are a lot to unpack. And my advice to my management is like, don't rely on the insurance. That should never be part of your DR plan. It's nice that it's there, great, but that should not be
John D (19:59.924)
North Korea, whatever,
Carlos De Leon (20:27.394)
your get out of jail card.
John D (20:30.336)
I got you. Well, I guess I have one other thing kind of in this area and you've answered it to some degree, but let's let's dive in here a bit more. So, you know, we're having to operate CISOs in more and more kind of complex environments. And we talked a bit about the regulatory, the audit, the insurance requirements, all of that. Also while dealing with this ever shifting technology landscape, including the new generative AI, but it's kind of, know, just the new flavor of technology that you need to deal with, defend against and see how you deploy.
What has had kind of the bigger impact on your approach as a CISO, the technology or the organizational side of things?
Carlos De Leon (21:06.486)
Hmm. That's a good question. I think it's a little bit of both. In my world with compliance, I get handcuffed a lot. One of the big ones recently that I had a conversation about was passwords. Everybody wants to go passwordless, right? That's the new hotness. Everybody wants to do simple authentication. But until my compliance catches up and says that's okay, I can't allow it. I'm sorry.
John D (21:33.846)
Yeah, that's a great point. It's like in, it's in the standard. You have to still have to do password changes when you're like, just let my users pick good passwords and, know, only change them if there's any type of compromise. Right.
Carlos De Leon (21:37.006)
Exactly.
Yeah, and I'm not just under the federal, I'm under the state security policy. So it's not just NIST, it's not just CISA, it has to trickle down to the state level and get adopted and updated. So I'm far behind the curve, even though I want to, and I know it's out there. It's easy to say, yeah, there's out there. So policy is definitely a thing to consider. Yeah.
John D (22:11.296)
And it sounds like that kind of then that policy and the organizational stuff is going to impact the technology that you can look at and deploy. You know, it impacts your ability to, be that department of yes. And rather than no, right. So, but, okay. Well, I guess, you know, staying on the tech side of things a little bit.
Do you see kind of the growing cloud and SaaS applications or on -prem infrastructure as your biggest challenge? And I guess I'll take this one from a threat management perspective because we haven't really gotten into the threat management and kind of, you yeah, that side of
Carlos De Leon (22:45.614)
I think so the question is what is what is the biggest impact was the biggest
John D (22:51.306)
Yeah, on on the, well, on the cloud side or on -prem, you know, kind of from the technology you need to take care of from a threat management perspective, like do you end up focusing one, the other, or some balance?
Carlos De Leon (23:02.712)
You have to balance it obviously, but it is a different mindset. The traditional castle mentality. This is my perimeter. This is my castle, my crown jewels. I put layers there with motes and stuff that doesn't translate very well when your users are working from home over the public internet, and going to services you have no physical or even maybe direct access to. If you're using SaaS, you don't have bare metal access or OS level access. There's a zero day.
You gotta wait on your cloud provider to patch. It's like, you know, so you gotta figure that into the equation of how you look at it, how you manage it. There's a lot of new products out there, you know, same buzzwords, zero trust. We onboarded Zscaler last year. I don't know if I can talk about vendors, but they've...
John D (23:35.059)
Mm, yeah.
Carlos De Leon (23:59.66)
They have been great at giving me visibility at what I didn't have because COVID sent us home so quickly that, you know, we kept the VPN, we expanded the VPN, gave everybody VPN access, but what happens when the user's off the clock and they get off the VPN and they use their work laptop for personal use? That was a huge gap that I was telling management, like, this is really risky. How do I know they're not browsing somewhere they're not supposed to? Our endpoint is mitigating it to the point.
John D (24:17.791)
Right.
Carlos De Leon (24:28.994)
But again, those layers, you gotta have those layers. If it fails, what is our outcome? Where are we vulnerable? yeah, cloud to me is, and I'll be honest here, being government, we're behind the curve. We're just getting into the cloud at my agency. The risk aversion is very high because of the regulation and the potential financial cost of any breach.
John D (24:29.365)
Reddit.
Carlos De Leon (24:55.106)
Cloud is new to us. playing with it. I worked on it previously. My last job was Rackspace. I was a assistant at Rackspace. Yeah, so I'm very familiar with Cloud, but when I landed here, they hadn't even thought about it. And eight years in, I've been eight years here at Revenue, we're finally dipping our toes. And I'm like, all right, now it's done. Now we can start playing. And I'm finding, yeah, there's still a lot of fear, a lot of risk aversion.
John D (25:03.185)
There you go. Yeah, you're on the other side of that then
Carlos De Leon (25:25.848)
There's a lot of improvement maturity that's happened in the last decade on cloud. We have less and less, hopefully less and less S3 buckets exposed to the world. It still happened, but there's a lot more regulation there that helps you close those gaps. There's a lot of new monitoring tools that tell you, hey, you forgot to lock it down over here. You forgot to put this security in effect. We have a lot more baseline, CISA, the CIS benchmarks.
John D (25:36.267)
Right.
Carlos De Leon (25:54.215)
even the IRS now has cloud schisms that you can measure against to see have I at least done the bare minimum to protect what I'm supposed to be protecting.
John D (26:04.556)
Well, in the cloud, we have that whole shared security model, right? It used to be your different business groups said, we can just spin this up. It's in the cloud. They're going to secure that. Right. But yeah, I think there's definitely kind of a turn towards figuring out how not just to do the detection response there, but also fear how to get some of the kind of the perimeter control and or proactive control, right. In the cloud. And I'm pretty heartened. I won't do too much of a plug, but my current company is secure is focused on, that type of stuff. And certainly a topic for
Carlos De Leon (26:07.544)
Yes.
Carlos De Leon (26:32.792)
Yes.
John D (26:34.51)
future thing for us to dive into maybe. So, you know, with that, let's talk a bit about kind of your personal career journey. Because I think one of the things that we really like to do is give that practical advice, both to CISOs who may still learn something or people who are kind of going down that path. Can you share kind of how your background and the jobs you've had prepared you for your current role here as a CISO?
Carlos De Leon (27:00.398)
Sure, yeah. I've always been passionate about technology since high school, middle school. I was a gamer back in the x86, Pentiums, and even before that, probably I had an Atari. But my career really started in high school when I started consulting for local businesses after school, doing basic networking, app setup or training. What I learned very quickly,
I had really good mentors, both customers or teachers. You want to be helpful. You want to be good. Let me back up there. One of my favorite clients was a lawyer. I had a lot of lawyers, a lot of business, know, white collar lawyers, doctors, dentists, stuff like that. But this lawyer taught me a lot about being in business on my own. He taught me that you can fire your customers.
You don't have to keep the customers are nickel and diming you, you, you bill your worth. Don't undercut your value. so those are all good lessons learned early in my career.
John D (28:09.6)
Yeah, that's, that's, those are some great insights. The fact that it's another way where we have kind of some things in common. I my first computer consulting gig when I was in high school as well, after working at a computer store. It sounds like you are, you're definitely getting out there, huh?
Carlos De Leon (28:22.358)
Yes, yeah. He taught me how to build. You can build two customers at the same time if you're thinking about the problem. If you're solving it while you're solving something else, you can build it. So those were really early lessons. The more I got into like sysadmin work, I did consulting for about a decade, finally jumped into the enterprise work. did Rackspace was the most recent, but I worked for America Express and other corporations. I learned there, the...
the importance of standardization, having desk manuals, following procedures. I was very wild wild west when I was a consultant. I just had to get the job done. Nobody was looking at my work. I did hack a things together to make them work. I remember it does not, but those skills definitely are still in my head when I'm looking at things.
John D (29:06.292)
Right. That probably doesn't work as well in kind of the government agency side of things right now. Right.
Carlos De Leon (29:19.998)
How can I think outside the box and solve the problem creatively? For my team, I tell them you have to have an adversarial mindset. How would you attack this if you were the bad guy? Not just checking the box of we're secure. We did the thing I'm asked to be doing. Think about it from a different angle. What else is you? What other avenues do you have for attack? So going back to lessons or things I learned,
I should have written these down. The takeaways.
John D (29:57.462)
I I guess I've got one for you and I'll kind of jump on this one, is, so you said early on, you said you're a gamer, maybe, you know, dabbled with a bit of hacking, statue limitations, probably gone for all of that. You know, again, names and such can be hidden here, but any kind of interesting one you'd want to share, confessions about Carlos's early hacker days.
Carlos De Leon (30:06.324)
Yes.
Carlos De Leon (30:20.098)
Boy, started in... Sure, Early years I started late 90s, early 2000s, internet was just starting. I was still playing with telephones back in the day, got my blue box like everybody else. One of my favorite hacks was I was living in a loft downtown and we had a call box to call the apartment and then they would buzz you in to open the door.
John D (30:21.578)
And then there's a lesson site to that, we'll, we'll let's, just see what you feel. Okay. Talking about.
Carlos De Leon (30:48.586)
To buzz somebody in, you press nine on your home phone and the DTMF tone would let the door open. Well, we quickly discovered that the mic on the outside was not muted. So if you, after hours, called the rental office when they were closed and held up your cell phone and press nine, you could buzz yourself in. So we went around downtown and figured out all the skyscrapers that had that vulnerability and we got onto a lot of roofs when we were not supposed to.
So things like that, other stories, I don't know.
John D (31:23.574)
Well, I mean, that's a great one. And I guess it kind of comes down to the fact of, how would you apply that now to something for your team or a story you might share there, right? Yeah, yeah, yeah. I mean, the blue box is cool on its own and this kind of thing, but there's a great analogy, think, inside.
Carlos De Leon (31:34.094)
How would I, for lessons learned?
Yeah, I usually when I'm trying to teach security, I usually actually fall back to the old school lock picks lock picking. I teach lock picking at my local makerspace. I usually have a go bag with locks and lock picks and handcuffs and other stuff to teach. And what I like to the takeaways that I usually try to take away with is this is a very old technology. It's been around for centuries, yet it still has vulnerabilities that we still exploit as lock pickers.
Other lessons that you learn from it is like what your protection dictates what you spend to protect it. A $20 padlock is fine to protect your lawnmower in the shed, but it shouldn't be what's protecting your jewelry or your important documents. you know, that's what I, that's why I teach lockpicking to beginners is like, this helps you put your mind into a physical acknowledgement of what security is. There is no silver bullet. A lock is not a foolproof security product.
you have to understand its limitations and that it can be compromised. Even a safe can be compromised given enough time. So those are the types of things that I use and I try to teach. The telephone one is just, again, layer security. Do you have close circuit cameras watching the doors? Is your roof access locked with a separate lock? They were not.
John D (33:07.414)
Right.
Carlos De Leon (33:10.03)
So yeah, there's definitely lessons in the world out there. you're like, again, adversarial mindset, how do you bypass what, know, obviously don't go around breaking into buildings. That's don't do this.
John D (33:21.738)
And we're not advocating that to anyone here, Maybe if it's your own building as part of a physical pen test, you can get your team on that. Exactly. There you go.
Carlos De Leon (33:27.638)
With permission from the landlord. Yes. All the locks I pick and all the locks I teach with, I give that lesson to the kids. Kids are actually really good at picking up lock picking. I tell them, don't pick any locks you don't own. Always get permission. Ask your mom or dad to buy you a few locks. it's, it's, you gotta go with, you know, my personal thing is building community. You also have to teach the ethics of what you're doing. There's a reason you're doing this. You're doing for knowledge. You're gaining knowledge. learning.
you're not doing it for malicious reasons. I wasn't a fan of the that period in my time of the notoriety seekers who wrote worms and viruses just to be, you know, infamous. Yeah, yeah. I mean, I get it. I understand why it happened. And that was that's part of our history. But the world has changed. The the the motivation now is financial ransomware is not out to make a change the world or learn anything. They're there.
John D (34:06.922)
Right. Defacing pages, that kind of stuff.
John D (34:24.644)
I'm losing him a bit there. Steve, are you there? gotcha.
Carlos De Leon (34:28.71)
okay. The world now is motivated by money and ransomware is the current boogeyman. And you got to understand what that motivation is and how it gets to where you are impacted by it. The most common threshold or the most common path in is a fish. So you got to focus your training on your users to recognize those fish. As I mentioned earlier, it's everybody's job to
Security minded. So how are you doing your job to make sure that your users have all the tools they need to report the fish, you know Detect it understand what the different morphs of those fish are the latest one that I left that was QR codes They're sending emails with a QR code scan here for you know password reset and I'm like, no don't scan that but how do you even block that like how does your Spam filter block that it can't So, you know, you got to layer it again. That's the scalar
John D (35:13.514)
boy.
Carlos De Leon (35:27.5)
Well, now it can block that URL at the proxy. now you're, at least your work phones are safe. I don't know about the personal devices, but yeah, those are all things, lessons learned. Like I said, don't waste an incident. Don't waste the what's going on in the world. Use it to your advantage. Figure out what are you missing? What is that gap that you're not, that blind spot you're not addressing?
John D (35:35.734)
Great.
John D (35:51.148)
Well, we'll definitely talk a little bit more about some of the hacker tools and things like that when we get into hacker summer camp. But before we get there, I mean, I love your use of like bringing something physical. And, you know, I would say I remember one thing when I was early on talking to folks that did lock picking and stuff like that. When I first saw a bump key, man, that was like a game changing kind of thing. It's like, wow, I don't actually have to pick this lock.
Carlos De Leon (36:10.024)
Mm. Sure. Yes, yes. Yeah. Bum keys, the pick guns now. It's gone pretty wild. Yeah. I usually walk through the vendor area at Def Con and pick up a few keys here and there. My last last year, I bought a bunch of construction equipment, golf cart keys, elevator keys.
John D (36:38.097)
there we go.
Carlos De Leon (36:40.12)
You know, I'll never use them, but it's nice to have a nice little set in my collection of, maybe one day I might need to open a elevator door or something. I probably won't have it on me, but. Yeah.
John D (36:55.093)
It's good to have tools, but I think that's one of the things we like accumulating things as we can kind of see in the background of both our offices here. The video will not be broadcast, but.
Carlos De Leon (37:04.142)
yeah, I have a gap but there was usually a 3D printer there in the corner. It's at my makerspace getting hopefully fixed.
John D (37:14.152)
Good stuff. Well, let's move back to the builder side of things just for a little bit and stay in that career journey and professional development. so what advice would you have for someone looking to make a move both into cybersecurity and then if their aspiration is to be a CISO, what does it take to make your way there, whether you start, somewhere else in IT or from a different area?
Carlos De Leon (37:35.896)
Yeah, I've read it. I agree with the messaging or the comment that security is one of those career paths that you can come at it from all kinds of walks of life. It is not a traditional like being a lawyer or a sys admin where there's a fixed path to get to. I've met a lot of people in my my career and I've got some great stories. I've found a security researcher who started her career as a waitress and got into security because she heard
credit card skimmers and that got her interested into how is that done as a waitress, right? She has access to all these credit cards and that led her down a path that eventually led to her becoming a security researcher. And I'm like, that's amazing. Like you weren't even in IT and you became an IT person because of it. So yeah, advice on how to do it. My rule of thumb is be passionate. What I look for when I interview or when I'm talking to people
Are you the kind of person who can't get enough of it? I know it's, there's a lot of it, but I know that it's counter to the whole work -life balance. And we promote that here at the state. We are very clear about after hours, you're not expected to be on call or work or anything like that. But I want the employees who are tenacious, who are obsessed about it and won't let it go till they find root cause or find the source, right? Those are the kinds of people who usually have
John D (38:39.411)
Because there's a lot of it, right?
Carlos De Leon (39:04.246)
adversarial mindset. They're thinking about it from all the different angles. Not to say you can't learn that, but it's a good start having that passion. The other skills, most skills I think given enough time you can learn, like the hacking, the security part of it. It's a body that's well -known at this point in IT history, right? We know what a network scan is. We know what a SQL injection is.
We know what the mitigations are for it. So it's more of, and that goes to a comment I made recently to a friend that I'm like, we've tapped out on the usual suspects. We're now moving to physical. We're looking at side channel attacks on CPUs and memory, cause those hackers have gotten bored with the same old same old. And so they're there now they're older. They got funding from their careers and now they're looking into
I have a friend who does side channel attacks. He's got custom built microscopes and injectors that do little mini EMP attacks on the chips. Yeah, he's got a scanning electron microscope so he can kind of layer by layer break down a chip. And I'm like, who's going to use that? But I get it. He explained it like, well.
John D (40:10.906)
wow. We're getting pretty sophisticated down here
Carlos De Leon (40:27.81)
Governments want to be secure that their chips are not being hacked and and also like vendors they want to be first on the market with a you know EMP Protected chip we've we built mitigations for that anyway So that you know there the the world is is moving on to more and more advanced attacks then then what we started with like when I started Wi -Fi hacking the war driving back in the
John D (40:42.444)
Yeah, yeah, yeah.
John D (40:56.5)
All right,
Carlos De Leon (40:57.294)
80 % were unsecured because people just plugged it in and started using it. Now it's flipped. 80 % is secured and maybe 10, 20 % if you're lucky is unsecured. And then there's a, what is it? captured portal. So you don't really get free wifi anymore. But you know, that's the kind of advancements. That's the kind of maturity that comes with it. I know I'm going off the...
John D (41:23.296)
No, no, you're good. I think we've got some good advice for folks on their career side and definitely the listeners can comment on this and we can pick it up.
Carlos De Leon (41:34.326)
Yeah, what I was leading to in the beginning was that I don't always expect my security folks to be traditional, degreed certificates. they're nice and my HR wants them. They want to have them because it makes filtering easier for, for the pool. But I may find somebody, I mentor a few folks and I'm like, you would be perfect. I just need to build you up enough to be able to be hired. you know, you, you, you have the right,
you have the right curiosity. Now you just, you know, you'd be dangerous with a budget and some tools, right? And so that's what I'm looking for. And how to get there for folks. I think there's such a wide. Birth of domains in security. You could be an attacker. You could be a reverse engineer figuring out new zero days, new vulnerabilities. You could be a defender. You could just be
John D (42:10.22)
There you go.
Carlos De Leon (42:32.182)
a log junkie looking at logs and parsing them and figuring out what's the anomaly. Yeah. Yeah, I have one of those on my on my sock team. He's happy with his logs. He doesn't want to change. And I'm like, Okay, if you're happy, I'm happy and you're doing great. So keep doing it. But, you know, know that there's more than just one way know that there's different things to focus on. I've been lucky enough that I'm a generalist. I've always tried to avoid being
John D (42:36.652)
There people that enjoy that, that kind of thrill, the chase and stuff like that. Yeah, definitely. Right.
Carlos De Leon (43:01.152)
a specialist in any given thing. But I think in the modern world that we're in, maybe being a specialist, hopefully in a subject that's long lasting, because that log person might be replaced by generative AI, hopefully not anytime soon. But yeah.
John D (43:21.472)
you may have one person that can handle more logs because they've got the AI copilot or whatever it is, right? Yeah.
Carlos De Leon (43:25.186)
Hopefully, hopefully. Yeah, but you know, I don't see that threat as a job replacement and I agree with my management. It's it's a employee enhancement. It makes you a better employee having that extra tool of AI to to write better communications, filter logs better, pay attention to things you've missed there. You know, they're really good at pattern recognition. We're good as humans on a certain.
visual thing, but in logs, they might be better at it. But to career wise, find your passion, stay with it, find a good community, find a local user group, hacker group, 2600 DC groups, find a mentor if you can. There's a lot of good, I feel like the whole, what is it, master and apprentice model.
should be used more widely in InfoSec, not just go through the boot camps. They teach you a lot, but to really develop you and grow you as a security practitioner, you want somebody who can guide you to where your strengths are and know what your strengths are and tell you how to
John D (44:44.388)
That's some great advice, Carlos. You I think you get the full spectrum of organizations. You've got kind of the hacker and maker spaces. You've got organizations like ISSA and, full disclosure. I've been involved with ISSA international in the Silicon Valley chapter quite a bit. You've got ISACA, you've got the OWAS for folks who are more in AppSec. And so I think that's some great advice. Like you said, not only find your passion, but get out there and find some people that you can hang out with and talk with it about.
Carlos De Leon (45:01.912)
Yes, lots of those.
Carlos De Leon (45:08.098)
Yeah. Find your local B -sides. I take my mentees to those and their eyes go wide when they found their family, their tribe.
John D (45:17.324)
Well, that's a good transition. It's kind of our last segment here and stuff to talk about. So Hacker Summer Camp's coming up. And for those listening, most will know Hacker Summer Camp's Black Hat Def Con, B -Sides Las Vegas, and all the other things that happened generally early in August in Las Vegas. We're going to have Def Con, I think, 32 this
Carlos De Leon (45:24.28)
Yes.
Carlos De Leon (45:36.962)
Yes, wow, it's old. It's getting old.
John D (45:38.964)
Man, yeah. These hairs are getting gray on you and me both here, man.
Carlos De Leon (45:43.97)
Yeah, yeah, this will be, I lost count of when I first, I know I was probably.
It was in the middle of the Alexis Park years. So I've been going almost 25 years, if my count is correct, to DEF CON. I'm a retired goon. I used to volunteer at DEF CON as the security, now we call him sock now, you can't call him security. So I've earned lifetime admission for 13 years of service. So that's one of the reasons I go is I don't have to pay for the badge. I do have to pay for hotel and airfare, but
John D (45:56.115)
Alright.
Carlos De Leon (46:20.706)
That's not a big deal. I'm mostly there to network, socialize, meet people I don't see unless it's that summer camp event. I mostly skip the talks because they end up on YouTube. I actually buy the recordings every year and just watch them post event unless I hear chatter about some really good talk that I might crash and go listen at. I'm more there for the villages, the the lobby con as we call it.
John D (46:49.268)
Right. Line con lobby cons. There you go. Yeah.
Carlos De Leon (46:49.998)
There's so much there. Yeah, yeah. There's always we call it the vortex when you're trying to get A to B and it takes you an hour when it should have taken you 10 minutes because you get stopped by people and as many years as I've been there, I know a lot of people and a lot of people recognize me. So I get stopped and asked and talked and I love it. It's a great way to reenergize my batteries. It's motivates me when I can when I come back to work about I'm doing what I'm supposed to be doing.
representing the users and my community.
John D (47:24.396)
Do you have any advice for people that might be going to Hacker Summer Camp here for the first time?
Carlos De Leon (47:29.006)
yes. Check out the villages. It's grown into its own kind of subcon and DEF CON. I'm going to BlackHat also. I didn't attend in the past as much as I probably should have. But now that I am CSO, I have meetings with vendors and stuff. But first timers, we have a rule. You'll learn it at the onboarding. The first talk is the 3 -2 -1 rule. Three hours of sleep minimum, two meals minimum, and one shower minimum.
John D (47:59.139)
And that'll keep you and everyone else at the con in good shape, right?
Carlos De Leon (47:59.854)
In good shape, yes. But other than that, definitely find, know, put yourself out there. I know it's hard for a lot of us introverts and tech savvy folks. Put yourself out there, make friends, introduce yourself. One of the cool things I love about the community is they come up with ways to icebreak and one of them is stickers. Bring some stickers. Yeah.
John D (48:22.117)
yes, stickers are a big deal in the security community for those that don't know it,
Carlos De Leon (48:26.626)
Yeah, so you exchange stickers or just give them away. It's an icebreaker. It starts the conversation. People will ask you, well, thank you. And where are you from? Or what do you do? So talk to your company. If you work for a company, get some vendor stickers from your company or even, you know, buy some online yourself, you know, create something. ChatGPT can generate really cool pictures. Nobody says you can't just print something off ChatGPT or whatever the image generators are.
So those are good. One thing I like to do as an old timer is I like to find first timers and kind of take them out to a meal. I take them to lunch or dinner and kind of talk to them, show them the ropes, introduce them to a few key people. Once I get to know them and know what their interests are, if they're into cryptology, I'll find some cryptology friends and get them talking. Take them under your wing and help them figure out. It's overwhelming.
John D (49:21.637)
Well, you guys heard it here first, know, find Carlos during the gun and it sounds like he might buy you a meal, you know.
Carlos De Leon (49:23.374)
That you got to be very careful. I stick to the rule of no more than four or six people. If you get it too much of a crowd, lunch becomes a three hour ordeal. So you have to be very judicious about who you invite. I usually plan my, and I actually have friends who actually do this. They have a set dinner and they send invites. And if you are a SVP and don't show up, you're off the list.
John D (49:35.468)
There you
John D (49:52.167)
there you go. Yeah.
Carlos De Leon (49:52.302)
And there is a cutoff. you have to RSP fast enough. But that is, know, it's so big. It's 20 ,000 on average, 25 ,000 attendees for DefCon. You're not gonna see everything. Don't try to do all the DefCon. Pick one of them. Pick talks, pick villages, pick lobby con, pick the parties, sleep all day and go to the parties. So, you know, don't try to do it all. There's more every year.
John D (50:14.38)
There you go.
Carlos De Leon (50:21.4)
Come back the next year if you can. It is its own amazing, crazy, weird place, but I love it I keep going back.
John D (50:33.642)
Well, Carlos, that's some great advice for folks who maybe haven't been in a while or it's their first time. you know, definitely thanks for putting in the plug for the villages. I've been, volunteering at the packet hacking village. That's one of the things we can have in common. Cloud village is a great place for people trying to understand that stuff. There's a good group of folks that are there. And like you said, it's all these little mini cons next to the main talks that, you know, maybe you want to just go and hang out there and plus DJs music, you
Carlos De Leon (50:46.883)
Yes.
Carlos De Leon (51:00.96)
There's so much.
John D (51:01.268)
interesting people walking down the hallways, you
Carlos De Leon (51:04.16)
And another note, like I get asked all the time, how can I volunteer? Cause when I was working, they wanted to do what I was doing. I'm like, you know, enjoy it as an attendee for a few years before you cross the fence and do it from the other side. I'm not saying don't volunteer. I'm just saying, enjoy it first. There's so much to do. Spend a couple, maybe five years enjoying it before you volunteer. But yeah, there's so much to do that.
John D (51:30.144)
Well, maybe one last thing on Hacker Summer Camp then. Are there any talks or parties or events that you want to plug in
Carlos De Leon (51:36.878)
yes. So I run my own conferences. I run Turcon in San Diego and Turcamp here in Washington state. My friends and I, and that loft, we started them 20 so years ago. We were so in love with the Defcon idea that we started our own. And then one of my friends went to CCC camp in Europe and loved the camping idea of a hacker camp. So we started Turcamp in Washington.
So we have usually a TourCon party. I'm still waiting to find out if it's going to happen this year. It may not. So that's one on the lookout for. Follow us on social media. The other one is a friend of mine is Jack Reciter, who runs Darknet Diaries. He's going to throw a huge party this Saturday, the 9th. Officially at the Las Vegas Convention Center, got DefCon space allocated to
So he's gonna be throwing a huge party. It's a masquerade party. Look him up on social media, check out the podcast. So yeah, those are the big highlights for me. I do a lot of other parties. I'm usually just roaming around, because I'm no longer working. I'm an attendee. And so just go where the flow takes
John D (52:54.102)
Well, I think that's some great advice and it probably a good way for us to kind of wrap things up here. I think it's good to consider other conferences as well. And like you said, there's all these great regional conferences. There's B -Sides Las Vegas, but there's also B -Sides SF and Raleigh Durham. And I think there's even one down in the Caribbean, you know, these days. So find your local conference as well as one of the things we're advising to people.
Carlos De Leon (53:12.728)
Yeah.
Carlos De Leon (53:16.619)
Yes, I will be going to B -Sides Las Vegas. I bought a pass to just check it out. I support them. I support all of my local ones. B -Sides Seattle, B -Sides Portland are my local ones here that I go to every year.
John D (53:31.136)
Well, folks, I think from John here down in Silicon Valley and Carlos up in the Pacific Northwest, we're going to sign off here and say thank you so much for all your insights and I'll see you in the desert.
Carlos De Leon (53:42.264)
Thanks
CISO
Carlos De Leon is a seasoned professional with extensive experience in the field of cybersecurity and business innovation. He currently serves as the Chief Information Security Officer at Washington State Department of Revenue.
Carlos has honed his skills in security architecture and project management. He is known for his expertise in implementing technology and fostering a culture of collaboration and creativity within his teams. His leadership style emphasizes mentorship and empowerment, helping to cultivate the next generation of security professionals.
Carlos is also an advocate for diversity and inclusion in the tech industry, actively participating in initiatives that promote equal opportunities for underrepresented groups. His passion for technology and commitment to social impact make him a prominent figure in the tech community.