Featuring Ray Yepes, CISO, State of Colorado
Summary
Ray Yepes, CISO of Colorado, believes a centralized IT infrastructure model is most beneficial for security, economics, personnel resources, scalability, and disaster recovery. It provides better control, cost savings, and fewer people needed to manage the infrastructure, as well as increased scalability, better risk mitigation, and continuity of operations.
Before we get into this week’s podcast, I wanted to give a special shout-out to TechTables podcast sponsors: SentinelOne.
SentinelOne's AI-powered security platform to break down silos and protect this state's entire enterprise with real-time data and control. With seamless updates and overhead reduction securing 15,000+ endpoints across 25 agencies, SentinelOne partners to protect critical assets across states and agencies.
Learn how SentinelOne empowers this state to stay secure.
https://assets.sentinelone.com/ghe/sentinelone-empowers
📬 Subscribe to the newsletter on https://www.techtables.com/
🔖 Timestamps
0:00 - Intro
1:06 - Centralized vs Decentralized Cybersecurity
4:29 - Adjusting from serving as CISO at the DPSS agency with Texas' shared services model to serving as State CISO in Colorado's Centralized model
6:05 - Cyber insurance
11:29 - Self-Insured Model in Colorado
13:54 - "No Government Will Be Left Behind"
15:03 - Partnership & Collaboration with the State
17:25 - What states are most similar to Colorado
20:10 - Cyber Threats
22:36 - Dark web & Threat Intelligence
29:01 - Hiring Cyber Talent
36:15 - Culture
39:45 - "Live with the heart"
45:40 - Outro
⭐️ Leave a Review
If you enjoy listening to the podcast, please leave a 5-star review on Apple Podcasts and let us know who you want to see next on the podcast in your review. Thanks!
You can also Tweet us on @thejoetoste and tell us what lessons you learned from the episode so we can thank you personally for tuning in 🙏🙏
🔗 Connect with TechTables
LinkedIn TechTables https://www.linkedin.com/company/techtables/
LinkedIn - Connect with Joe! https://www.linkedin.com/in/jtoste/
Twitter https://twitter.com/thejoetoste
Website https://www.techtables.com/
Joe Toste [00:00:00]:
You're listening to the public sector show by Techtables, a podcast dedicated to sharing human centric stories from CIOs and technology leaders across cities, county, state and federal agencies, joining in the conversation and touching the hearts and minds of leaders across technology today, from mission driven leadership to cloud AI to cybersecurity, workforce challenges, and more. Never miss insights from peers and vendor partners across the public sector. And to make sure you never miss an episode, head over to Techtables.com and drive your email to subscribe. New podcast episodes come out every Tuesday and Thursday, along with weekly behind the Mic newsletter. And one of today's podcast sponsors is Techtables plus, an engaging new community where you can have early access to never before released episodes, early access to live event recordings, early access to weekly three interesting learnings, early access to live event ticket purchases, no episode ads and more, plus three extra special bonuses when you sign up today. Bonus number one, access to the CEO show bonus number two, access to the higher Ed show and bonus number three, access to the digital show. Join Techtables plus today. As always, thank you for supporting the techtables network.
Joe Toste [00:01:12]:
Today we have Ray Jeffers, the recently appointed CISO for the state of Colorado. Ray, welcome to Techtables.
Ray Yepes [00:01:18]:
Thank you very much. Joe. Hey, what a great pleasure to be here. Thank you, sir.
Joe Toste [00:01:23]:
I'm so excited. And before we jump into today's episode, this podcast is sponsored by Sentinel one. Sentinel one redefines cybersecurity by pushing the boundaries of autonomous technology with the singularity XDR platform. Sentinel one is the leader in endpoint protection and beyond. Simply put, they stopped the bad guys. To learn more about Sentinel one, check out sentinelone.com. And of course, this podcast is also sponsored by the live podcast tour. Join us for these small, live, intimate podcast conversations across the US.
Joe Toste [00:01:52]:
I've got two left this year. Ray. September 23 in Sacramento and October 14 in Tallahassee. And looking forward to, I think we're going to do ten to twelve of these next year. If you want me to come to a city near you, email me. Joe@techtables.com love the live events. All right, so I'm going to kick off this episode with Ray and I'm very excited. Ray is a really smart guy and we're going to tackle a couple critical topics today.
Joe Toste [00:02:17]:
It's going to be a fantastic episode. Ray. Let's start with centralized versus decentralized governments. What have you seen from your experience working in cybersecurity both in Texas and in Colorado? What are some of the benefits? Maybe some cons. Can you break that down for us?
Ray Yepes [00:02:33]:
Absolutely. Great question. It's interesting to see the difference between the two of them. Many people will refer to gas as a decentralized and Colorado as a centralized. One of the big things that people don't mean that the shared model, which is the shared services model, is often confused with centralized services. And I think that's okay. My opinion is based on the shared.
Ray Yepes [00:02:59]:
Services model more than the centralized.
Ray Yepes [00:03:02]:
Colorado is truly unique. Centralized service, the shared services model, decide to provide services to customers. And that's usually what we see in Texas, where these customers who are internal or business unit leaders or even external customers, they are providing these centralized services are usually an extension of the functional teams already located at the enterprise level. So for Colorado coming truly we're centralized. We are doing okay. The services and we're agencies. We call the agencies that belong to the centralized model. We have consolidated non consolidated agencies in Colorado.
Ray Yepes [00:03:40]:
The consolidated agencies.
Ray Yepes [00:03:42]:
Basically we are the one who the.
Ray Yepes [00:03:44]:
Service, the it, the security and so forth, if that makes sense. Texas with the share services model, they have certain services that they can offer customers, every agency alike, but each agency is still separate and unique. To give you an example, each agency will have their own CISO. It comes down to that. Texas is different. Again, each agency has their own ISO, CISO, CIA director of it, whatever they need to have their unique. Does that make sense?
Joe Toste [00:04:16]:
Yeah, no, this is great. And I think because we've talked offline a couple of times, I jumped the gun a little bit. People might be thinking, Joe raised in Colorado, but you're talking about Texas. Can you maybe talk about your background in Texas and then the transition that you made and then that way, I think that'll keep everyone, will get everyone up to speed on the conversation.
Ray Yepes [00:04:37]:
Sure thing. A prior to joining the state of Colorado, starting in Colorado, April 25 of this year. So it has been on the job. Okay. For a little bit over to that. I was the CTO for the third largest state agency in Texas, called DFPs. I was there for five years as their CTO. And again, okay, it's the third largest agency by size in Texas.
Joe Toste [00:05:00]:
Awesome. So Ray has this unique perspective of being at an agency with kind of that shared services model and seeing everything there. And then Ray picked up and moved, left Texas and moved to Colorado. I love Colorado. Shout out. I went to college in Colorado. Moved to Colorado. Yeah, Colorado is great.
Joe Toste [00:05:24]:
There are a lot of really nice spots. Moved to an entirely. Now, when you moved from the shared services model to this centralized model, was that a big change or was this something that you wanted to see happen? How was that process for you being at the third largest agency in Texas and then moving to an entirely different model?
Ray Yepes [00:05:44]:
In my opinion, from a security perspective, it makes sense to be in a centralized model, and at least it's less of a nightmare from a security perspective, because now you have full control. The issue, when you don't have centralized government, when it comes down to your infrastructure, each one of them is different. So now the risk is dependent 100% on that particular agency. Here the risk is one entity only, so you have better control. Okay. From a security perspective, there's also damage. From economical perspective and being able to maintain, okay, one single infrastructure for everybody, the same IT staff will provide services to all the different, but from a security perspective, oh, my goodness. In my opinion, it's the way to go.
Ray Yepes [00:06:34]:
I really like it. Before accepting this job, of course, I went to read, okay. About Colorado and how the IT infrastructure was centralized and moved that they made back in 2008. And the biggest reason why they made it back then was when we hit the recession. At the time, it was a way to save cost. And again, from economical perspective, it will save cost, and from a security perspective, it will also reduce your risk.
Joe Toste [00:07:03]:
Yeah, no, that's really great. And so this actually talking about the economic perspective. Let's jump to cyber insurance. Now, I've had a lot of conversations with a lot of cisos, and it's a hot topic these days, right? So we got premiums and deductibles are rising while payouts are falling. Not to mention companies that are trying to find fault with the internal processes to reduce those payouts. This is like a life insurance scam. Colorado has opted with the self insure model. So I like this.
Joe Toste [00:07:30]:
I'm calling this. You become your own bank. I really like this idea. Tell us how that process is going and what you would like to see in order to protect the state of Colorado and what you feel like you would need enough emergency funds to self insure against the cyber risk that's out there.
Ray Yepes [00:07:46]:
Great question. And I agree with you, Joe. It has been the topic of coming of everywhere you go, people are talking about cyber insurance. In current Colorado is an insured state. And when I first started coming for the state, one of the first things that was asked to approve was our cyber insurance bill. So I look at Bill, I go and say, okay, great, I want to see, okay, the previous year's bill. I want to make sure that pairing apples to apples, pairing spares and just making sure I'm making the right policy before approving this so I look okay at the previous bill. And one of the things, okay, I noticed, okay, I mean, that our insurance went from $1 million to $2 million.
Ray Yepes [00:08:27]:
In one year, needless to say, okay.
Ray Yepes [00:08:30]:
I mean, that our current provider at the time even dropped us, okay. So we have to go with a different provider to insure the state. Of course, you start seeing higher insurance premium, you start seeing higher deductibles and less benefits. One of the things that you will see up with this is happening to everybody. We're not the only ones. One of the things that I did before deciding to sell legislation, my self insured program for Colorado was I started asking other citizens, other states, I started conducting my own survey, asking people, are you insured? Are you not insured or self insured? And the majority, 80% plus, are either self insured or considering going self insured.
Ray Yepes [00:09:18]:
Within the next year.
Ray Yepes [00:09:19]:
So it's a movement that is happening across the board, just about everybody. And again, it's interesting, because if you ask me, does cyber insurance work? Absolutely. But in my opinion, it works better for the corporate sector, corporate America. I would definitely advise them, okay. To consider having cyber insurance for in government entity. I would highly recommend. Okay, going self insured or no insurance at all. One of them, I'm going to explain why prison Cora, some of the things that I've been trying to work on, I have a premium case now $2 million.
Ray Yepes [00:09:54]:
I figure that $2 million is already my annual budget. So ideally what I want to do, okay, instead of coming, $2 million for coming to use in case of coming, that we hit, okay, with a breach or that we have to pay. I mean, CDOT incident a few years back was about $1.7 million in cost, so, meaning that the $2 million, okay. Would actually pay and cover for that. But the advantage of programming entities, okay. That most states will have what is called a disaster emergency funding program. Colorado has one, okay. We have a disaster emergency fund that we can always tap into it at any given day.
Ray Yepes [00:10:32]:
It's used many times, okay, for hurricanes, tornadoes, flooding, you name it. Same principle coming that entities can come up and tackle into this emergency funding. So can we okay. With a cyber breach, especially if it's a major cyber breach any given time, okay, most states, okay. Can tap okay into this emergency funding and put 35 million, $50 million. But let's assume that we have such a major incident that exceeds what we can tap up into the emergency funding that is $100 million and we can only take, okay, $35 million. Emergency funding system. One of the benefits, okay, that as a state we have is the governor of the state can always declare, okay, set of emergency.
Ray Yepes [00:11:15]:
If the cost exceeds, we can always come in. Basically at that point, okay, your funding becomes unlimited. It's the same principle the governor, it's not going to let the state go bankrupt. We can get, okay to limit the debt. So to me, okay, that's a backup that corporate America doesn't have. That's why I was recommending for them to be able to have insurance. And so government entities, okay, to go, another advantage that government entities, we can all activate the national Guard. The national Guard has such a powerful cybersecurity program.
Ray Yepes [00:11:50]:
It's incredible. You can always find being self insured instead of having insurance. The program that I'm proposing to the legislation will have not adopted. So the beauty of it, okay, is that again, if the breach, okay, it is 300 hours annual budget with a company, the deductible, most deductible, that's the minimum deductible coming. That most insurers is the $1 million. So again, if you have a 1.5 million hotel breach, that means you're going to. But another advantage will be self insured, is that we'll remain in control of our incident response. That is critical.
Ray Yepes [00:12:35]:
And I'm going to explain why most insurance provider will dictate the vendor that you have to use. It has to be an approved vendor from the provider. Many times they will actually provide the vendor themselves. They don't even give you an option from the provider list. They're going to say, this is the vendor that you need to use.
Ray Yepes [00:12:54]:
Joe, believe me when I tell you.
Ray Yepes [00:12:56]:
The vendors, okay, that these providers take people you do not want to have in your team, especially responding to a major emergency. These are the most often, okay, the newest, the mom and pop shops that you started, okay, a company, okay. These are the only ones that are willing to charge, okay.
Ray Yepes [00:13:12]:
The insurance company versus the real big.
Ray Yepes [00:13:16]:
Guys that will charge, okay. 253, 54, 50, depending on emergency. So normally, okami, it will give you control of your rental selection. And this program, the one that I'm proposing, okay, I mean, we'll have a preferred vendor on a retainer. So that way for incident response, okay, we'll have a faster response. One of the ideas was to use this money up here and create a pool and be able to accumulate this pool.
Ray Yepes [00:13:42]:
That was one option, but then I.
Ray Yepes [00:13:44]:
Decided, okay, to go with a different idea, okay. That can help us increase our security posture. Most states that I spoke to, they have this pool and they put this money in a pool. And if we have a breach, okay, we pull from this pool, we don't have to recollect this money the following year. My proposal is having the $2 million, the annual budget, not having a pool. And if we don't have a breach at the end of the fiscal year.
Ray Yepes [00:14:10]:
My proposal is using these 2 million.
Ray Yepes [00:14:12]:
And investing it back into the insured entities that we have for the state into security initiatives like tabletop pen testing, border scans, audits, security training, fee training, whatever training we want to offer. So one of the beauties of this is being able to offer cami and increase the security posture by allowing them to use this fund. And the next year is part of my recurring budget. So every year, I'm going to have.
Ray Yepes [00:14:40]:
To, instead of accumulating, use it.
Ray Yepes [00:14:42]:
Okay. And put it to better use. One of the things that is important to also make sure, especially in Colorado, we're trying to secure the whole state, okay. And one of our guiding principles, Joe, for the state, is no government will be left behind. We believe in the importance of being able to help counties, municipalities, small cities. Imagine, okay. Now, using this program and allowing any government entity within Colorado to be able to tap into our self insured program free of charge. We're not going to charge you.
Ray Yepes [00:15:17]:
You want to be part of it. You want to have cyber insurance, you can tap into our time. You have to qualify. And to qualify, you have to meet the following minimum requirements. So we'll come up with the basic. You have to have multi factor authentication. You have to have encryption. You need to have ABC and D, we can driver insurance.
Ray Yepes [00:15:37]:
Now, think about for this moment now you're going to encourage these entities, maybe they didn't have multifactor authentication, but they want to qualify. They want to go and get multifactor authentication. So in a way, you are improving the security posture of these smaller government, these smaller entities. One of the things that, to me, is important as a selling point is this. Going this route, it will increase the partnership and collaboration between the state and the municipalities, the counties, the cities, the small entities, tribes, everything. You can improve partnership and collaboration with this route. You can improve security posture for everybody across the board. And keep in mind that when you think of being able to assist them with, hey, if you are here with a breach, in addition to our cyber insurance, okay, that we're going to cover the cost, we're going to also assist you with your incident response, because we have the resources now with the state.
Ray Yepes [00:16:41]:
So being able to do that okay for this smaller entity is truly a way okay of honoring the guiding principle, no government will be left behind. So to me it presents a win win situation going with self insurance also. One of the things that government can also tap into it is we can leverage on law enforcement partnerships. That's one thing that every government entity has. Think about this for a second. I have two people at the FBI Denver office that work for my unit for security in these federal partners. The advantage is you're building partnership.
Ray Yepes [00:17:21]:
If we're here with a breach, if.
Ray Yepes [00:17:23]:
I approach the FBI or the secret service or homeland security, whoever, I need to approach the federal agencies, do you think they're going to say no? When it comes down to helping me.
Ray Yepes [00:17:33]:
Out, they're going to jump.
Ray Yepes [00:17:34]:
They don't want to jeopardize this partnership that has been so helpful both ways. Needless to say, this partnership also helps with threat intelligence, which is also key in this area. So hopefully. Okay, I didn't take too long, Joe, but that's how ambitious cyber self insured program. Okay. That I'm trying to legislature for the state of Colorado. Yeah.
Joe Toste [00:17:58]:
So I love. There was so much you said, this is why it didn't open my mouth. I just wanted to let you. Let you talk. No, this is great. I love the fact that you're building relationships in advance of an emergency happening because the emergency will happen at some point. The bad guys just got to get it right one time. But having that relationship in advance is fantastic.
Joe Toste [00:18:22]:
One question I had as just a quick follow up was what states do you see that are the most similar to Colorado right now? When you're talking with your peers, with the other state, CISos, do other states have this no government left behind model? What states are the most similar for you that you are bouncing ideas off?
Ray Yepes [00:18:41]:
First of all, I tell you this, Joe, great question. I wish I had my notes because I can actually tell I had a.
Ray Yepes [00:18:47]:
Lease to kill the state because in.
Ray Yepes [00:18:49]:
My sales point, the legislation trying to offer this, I actually listed the state that first self insurer.
Joe Toste [00:18:56]:
Okay, you need a notebook like me. You need a notebook like me.
Ray Yepes [00:19:01]:
So I don't want to interrupt, but basically I can think of one from the top of my head, which I have worked with for that state. Okay. Quite often is New Hampshire. They have a great model and they do have a pool, which is different from what I'm trying to propose. I think my unique approach is an approach that we're going to have to an approach that is recurring expense for us with the benefit. Able to benefit. Okay, again, that's going to improve my relationship. Okay.
Ray Yepes [00:19:32]:
With everybody in the state and improve. Okay. The security posture. I don't know of anybody. Okay. I'm sure there are other states, okay. Doing this, but I don't know if anybody. Okay.
Ray Yepes [00:19:42]:
I mean, currently doing this.
Ray Yepes [00:19:44]:
That was a question.
Ray Yepes [00:19:45]:
When I conducted my survey, it was only to know who's insured, who's not insured, and who's self insured, basically. And for instance, in Texas, okay, at the third largest agency, we went uninsured the entire five years I was there. We never had insurance. Because if we're here with a breach a, we could come up with emergency funding from our well, say, okay. That we exceeded that. I will go to the governor and say, declare a state of emergency, period. We had no program. We're no insured.
Ray Yepes [00:20:15]:
The agency. Okay. That was my decision at the time. And it worked out at least for the five years that was there, okay. We never had to deal with any breaches. So, no.
Ray Yepes [00:20:25]:
Right.
Joe Toste [00:20:26]:
Yeah. But did you pick up the phone? You're like, hey, Nancy. Hey, Nancy, I got a question for you. Yeah, she's super awesome. I really love her, too. Okay, let's talk about threat intelligence. So, on our podcast intro call, you had mentioned that after 911, the US government invested heavily into the intelligence agencies that obviously now we're in this massive cyber war. Can you maybe talk about the importance of intelligence and how you're coordinating in Colorado versus just the many cyber threats across the world?
Ray Yepes [00:20:58]:
Well, first of all, great question. Intelligence, I don't know if you heard me. Okay. With the advantage of leveraging the law enforcement partnership that we have in Colorado, that helps in our third intelligence. First of all, because we're able to gather information. But first, I like to say the following.
Ray Yepes [00:21:14]:
Many people threaten intelligence.
Ray Yepes [00:21:17]:
They think, okay, many times threat intelligence is really vulnerability scanning in a way. They think, okay, that threat intelligence is going and telling you what open ports you have. And again, this is a misconception in the industry. Things, okay, before they even happen, things in the making. That's true. Threat intelligence. And when you think of coming about federal government show after 911, they invested heavily, okay, into the intelligence community. I cannot tell you how many times the federal government, the US government stopped similar events to 911 from happening.
Ray Yepes [00:21:57]:
And it's not that they stopped federal economy as it was happening, because that would be. Okay. I'm going to read the scam. Well, this is. They infiltrated, they were paraphrased this as it was in the making, that, my friend, is true threat intelligence. And that's what a true threat intelligence program does. They want to have people working in the dark web because one of the things that happens, people don't realize, people talk. So if I'm planning a cyber attack on say, in an agency instead of Colorado, most of the time I'm not.
Ray Yepes [00:22:34]:
Going to do it alone.
Ray Yepes [00:22:36]:
Most of the time I'm prepping for this. I'm dealing with other people.
Joe Toste [00:22:41]:
People talk all the time.
Ray Yepes [00:22:45]:
So this information leaks. A true threat intelligence analyst is gathering this information, is participating with these entities that are trying to cause the breach or the threat. So many times the US government has had sources and corporate operands on your own side is criminal and that's how they're gathering information. So in my opinion, a threat intelligence program is one of the things that I'm about to start again simply because I want to create a true threat intelligence program. One, okay, that will be leading in the dark web, one, okay, that will be coexisting, negotiating, talking with people in the dark web to try to understand things before they happen as they are planning the attack. Because again, I can find, okay, through intelligence and through some programs I can find out, okay, that we have a port open and people, I see communication going back and forth. That's a tool. A tool is telling you what's happening.
Ray Yepes [00:23:50]:
You know what I'm saying?
Ray Yepes [00:23:51]:
Turn intelligence requires human brain behind the scene, somebody that will come, okay, and be able to tell you and say, hey, listen, I just heard you're creating the dark web today, that they're selling credentials for the state of Colorado for $5,000. I saw a high bidder that won 5000 and he ended up with about 100 credentials for the state. That, my friend, is good information because the hacker has not had yet a chance to exploit these accounts. Now if we really get that these accounts were sold and we can get hold of the database that was sold, that's true threat intelligence. Now we can come up here and protect, change the passwords, do whatever we need to do. Normally if I sell your accounts, okay, that I'm offering, you're going to say you're in the dark web and you're trying to sell accounts. You're not going to come, okay, and buy 100 accounts, okay, from me, 100 good accounts. You don't want to take, negotiate with me and ask me, give me a sample sending you 100 accounts.
Ray Yepes [00:24:49]:
I want to give you five accounts. Go test out, okay? So you can see that these passwords still work because, Joe, think about it. If I tell you that I have 100 accounts with current passwords for the state, how do you know that this password has not been changed? You're not going to go pay $10,000 for this information. Suddenly you get the old password change. You ask for a sample. You need to make sure that your information that you're receiving is valid before you even jump into it. So that's buying you some time, if you can find out, okay, when the information took place, you still have time to go and correct and make a.
Ray Yepes [00:25:25]:
Difference before something happened.
Ray Yepes [00:25:27]:
Does that make sense? Okay, with that example.
Joe Toste [00:25:30]:
Oh, yeah, no, I love that example.
Ray Yepes [00:25:34]:
With 911 like attacks, okay, many times they stopped incidents where people were planning bombs, where people were planning and we were giving the fake bombs for them to carry out their terrorist act. You know what I mean? Imagine we're even controlling what we were giving the, here's a bomb. They're thinking that they actually have a bomb, and it was allowing us, okay, to gather who the players were, what their target was, what their intention was. That, my friend, is valuable information that you don't get through tools. You need, okay, that human mind you need, okay, somebody wearing, okay, that cuff, hat in the bank, rep, all day gathering information, intelligence information. I learned that there are many people out there, okay? I certainly know why fear. I know probably the best intelligence analysts I ever met.
Ray Yepes [00:26:25]:
I learned that from the.
Ray Yepes [00:26:26]:
That it was critical coming to always have the human factor right behind it.
Joe Toste [00:26:30]:
That's great. So there's the critical human factor, which I love. You hear a lot about AI and everything, but at the end, there's still a human behind the scenes partnering to make sure, because at the end of the day, humans are still going out and deploying. There's someone behind the scenes. So you need someone to go to work and figure that out. I love that. That's fantastic.
Ray Yepes [00:26:53]:
The FBI, the secret service, and national security matters at the time coming back, this is back in 95, I created what I called nine handles. At the time, these were users, hackers that I was going to lead them, okay, to become famous through time. Because when I normally do business with a newly person who doesn't have a reputation, I maintain these names and slowly occur through intelligence information. I burned them as I was going. My last handle, I burned, okay, in 2011. Imagine I was able to keep this hacker, okay, from 1995. He was very well known, very well respected. Little people have no clue that this person was working, okay for the intelligence community, for the FBI, and secret service and all the things.
Ray Yepes [00:27:43]:
So really work hard on building this handle so that way of other hackers in the community. Does that make sense?
Joe Toste [00:27:51]:
Yeah, no, I love that. Do you know Tim Roemer, by chance? Does that name ring a. He's the director of homeland security in the San Cisco in Arizona. Back in the day, he actually worked at the CIA in the White House. And there's actually a funny photo of Tim where he looks super young, and he's with Barack Obama at the time. So when you leave the CIA, he was telling me the kind of last day in office, you get a photo with the president, and they got this high powered camera, and so that's your going out photo. But he worked eight years there, and he was on the podcast talking about the same thing. You were talking about how much of that experience was so valuable working in the White House situation room.
Joe Toste [00:28:33]:
You don't actually work for the president or any party. You just work for the CIA, right? You're behind the scenes, and that work that you're talking about is critical, I think super important, which I found. Some cisos who have that experience seem like they're really dialed in. So it's a great.
Ray Yepes [00:28:50]:
Remember one time, I was working on a plot that was taking place that was in the building, and I actually used two of my handles, one to gain the trust of the person that I needed, and the other handle to actually do the opposite, typing one computer, say, hey, don't trust this guy. I bet he's a cop, even though I'm that guy. So at this guy, whatever dude you're talking about, I'm not a cop. Okay? I say, I bet you are. So I was protecting this other hacker to gain his trust by telling him, don't believe myself. Right. It was interesting conversations dealing with two monitors at the time. Okay? Trying to keep two conversations going.
Joe Toste [00:29:30]:
I'm now never going to trust an email that comes through from you now, because you're just going to be messing with me now.
Ray Yepes [00:29:36]:
Okay?
Joe Toste [00:29:37]:
So the last point we had, you had these kind of four pillars. So I just want to summarize for the audience. Centralized, decentralized. We're talking about governments, the cyber insurance, the threat intelligence. And the last pillar that we were talking about is recruiting. Right. As people are critical, how are you hiring cyber talent right now? Where are you looking for talent? How are you retaining talent on that, Joe?
Ray Yepes [00:30:02]:
Great question. And everybody, when you talk to cesars, when you talk to anybody in security, they're having a hard time finding good talent. It's unbelievable. And they okay, the big companies, they're the ones able to afford Navy Seals out there. To me, okay, the way I found talent, most of my career has been okay through connections, through partnerships to people I've known, and through networking, because, Joe, I can put a resume right now for you. Perfect resume.
Ray Yepes [00:30:31]:
And Mike.
Ray Yepes [00:30:31]:
And lie 100%. How are you going to truly verify this? You know how difficult that is? I cannot tell you how many times I've seen people exaggerate. People inflate resumes. People make up stuff in resume. So you truly have to rely upon the reputation of this person.
Ray Yepes [00:30:47]:
And when you think about the security.
Ray Yepes [00:30:49]:
Experts out there, my goodness, a lot of people call themselves security experts. They're not very handy of what the call the two Navy Seals out there, that I actually have respect for their knowledge and what they do. So networking is key. How do you retain this talent? How do you keep them from not going and moving to the next major opportunity? Because the moment you have and the moment you train, the they become more valuable. They leave. That's typical in this industry. So how do you retain them? And this is when I preach way too many times about this is you have to lead, okay?
Ray Yepes [00:31:27]:
With a heart.
Ray Yepes [00:31:28]:
Unfortunately, we live in a world where people forget the importance of the human sector. We have to be human first and foremost, before anything else. We can all treat people like objects. We have to treat people with respect. We have to care about people. And nowadays it seems okay, that is.
Ray Yepes [00:31:49]:
Lacking in what I see. You don't see the true leadership on.
Ray Yepes [00:31:54]:
Leaders that they want to lead and make a difference. If you don't have that, you lose. Okay. The very foundation that you need to retain your people. And to give you an example, in Texas, the agency I was, we had zero turnover. People did not leave. And I'm going to tell you a story about that. As an agency, we have the lowest salary of any other state agency in Texas.
Ray Yepes [00:32:20]:
So how did I achieve zero turnover with the lowest salary in the industry? My people, Joe, were getting offers left and right, 2030, 40 and up to 50% of what they were making, coming and working for the state. Just a different agency. All they had to do was switch from one agency to another one. They were able to make 50% more. That's a big salary. And they were after my people because they knew we became a powerhouse when I took over these agents, okay. The security unit was very poor by the time I left. We have one of the strongest security units for the state.
Ray Yepes [00:33:02]:
So people call me a customer, people all the time, in fact, okay, my right hand person, she will get offers weekly. Yet she was there, yet she's now the new CEO. She actually took over my role. So to me, you have to care about people. You have to sector people. You have to teach them leadership. My right is a great example. This is an individual, Joe, that had no security experience.
Ray Yepes [00:33:28]:
Zero. She wanted to get up into security. She was working help desk, and she was interested in security. Somebody asked me to meet with her. Okay? I did.
Ray Yepes [00:33:38]:
Okay, what I call, okay, maybe in.
Ray Yepes [00:33:41]:
Texas, okay, courtesy interview. So I interviewed her, but I could see her attitude. I could see this person have what it took just by talking to somebody, you could tell, you could see. At the end of the day, okay.
Ray Yepes [00:33:55]:
I made the decision, risky decision.
Ray Yepes [00:33:58]:
I actually offered the job to this individual that had no experience. And I remember, okay, her first week at the job, I sent her to take the CISSP. I just threw her into the water.
Joe Toste [00:34:09]:
In the deep end. Yeah. Push her off the deep end. Yep.
Ray Yepes [00:34:12]:
But again, this is an individual coming that I mentor, that I coach, that.
Ray Yepes [00:34:19]:
I train, and now she's the new.
Ray Yepes [00:34:22]:
CEO for the agency. I guarantee, okay? I mean, I bet everything I have, she will do a much better job than ever.
Ray Yepes [00:34:29]:
The are data.
Ray Yepes [00:34:30]:
I can bet. So, Joe, it's important to care about people. It's important, okay, to show the leadership. It's important to teach people to lead with a heart. Care about the people that you're working for. Because at the end of the day, we think we're coming, that here we're public servant, we're servicing the public.
Ray Yepes [00:34:47]:
Guess what?
Ray Yepes [00:34:48]:
You're also servicing your own people. One of my favorite leadership philosophy, okay? Servant leadership. I truly believe that's one of the best way, okay, to lead by being a servant. And that has been my philosophy coming for the last two decades. I want to serve the people that work for me because we're in all this together. But caring about your people, the want to see, okay, if you are truly a genuine leader, that you are an honest leader, and believe me, you will learn, okay, that money is not everything. And I remember, okay, when I went to work for the state of Texas, okay, I took an $85 pay cut, not including bonuses. People ask me, okay, what in the world is my wife goes, what we never.
Ray Yepes [00:35:35]:
And she goes, why are you crazy? Calling in our life and making money was not my calling. Making a difference was my calling. And here, being a public servant, okay, you have the opportunity to make a difference every day of your life. And it's important to remind the people that work for you that they are all making a difference. Because again, if they want to make money, I can go getting a job at one of the big tech companies and they're going to pay them two, three times of what they're making here. But are they going to be making a difference the way that they can.
Ray Yepes [00:36:08]:
Make a difference right now?
Ray Yepes [00:36:10]:
So imagine that we have an ability to tell people to be superheroes every day, and our superpower is that being able to help others make difference in this world.
Ray Yepes [00:36:26]:
And to me, that's priceless.
Ray Yepes [00:36:28]:
There's no company out there coming that can offer me enough money, okay, for me to want to. In my opinion, okay. I love what I do now. Came in this new position. I love it even more because I have a greater chance and a greater opportunity to make even bigger difference. Before I could only make a difference one agency. Now I can make a difference of many other agencies, if that makes sense. I truly believe for coming that leaders is what makes a difference.
Ray Yepes [00:36:54]:
You can offer the usual staff for coming, offer them training, help them grow, mentor them as they want to leave your company, basically, but treat them so well that they will never want to leave.
Ray Yepes [00:37:05]:
Does that make sense?
Ray Yepes [00:37:06]:
It's almost like an oxymoron. You want to give them the tools. You want to help them grow. You want to train them, you want to mentor them so that way you can prep them okay for the next job. That way you can prep them okay for them to want it. But you're going to treat them so well and with so much respect that they'll never want to take that job. Does that make sense?
Joe Toste [00:37:26]:
Yeah, it's an emotional heartstring. And I love that because people always will stay with somebody or stay with a boss if they know that person cares about them and has their best interest. And the I want to unpack two pieces because you had a lot of really great stuff in there. And I know we're running out of time, but I want to dial this in. So networking, retaining people so very quickly, because if we could do a two or three hour podcast, but very quickly on the networking front, what's one or two of your favorite open ended questions that you ask potential employees when you're interviewing? Or maybe not even when you're interviewing, maybe when you're at a Starbucks or you're at a conference. What are one or two open ended questions that you ask that kind of pique your interest on a cybersecurity front?
Ray Yepes [00:38:17]:
Usually ask questions and know associate okay.
Ray Yepes [00:38:21]:
With a resume or with a job.
Ray Yepes [00:38:23]:
I want to find out, okay. About the personality. So one of a good question, okay. And I haven't asked this yet, okay. But I used to ask her, okay, especially one of my number one questions was I would straight on their eyes and say, do you lie? And I would love to see, okay. How they will react because, no, I never lie. And you're going to say, that's just a lie right there. Because it's impossible for humans not to lie.
Ray Yepes [00:38:49]:
Somehow, some way, 100%. Some people lie more than others. Some people lie less. Some people. But people justify themselves. They come and say, I don't lie. I just exaggerated. That's a way of lying.
Ray Yepes [00:39:01]:
I'm sorry. I don't care how you want to sell it, but it was one of those questions that would set a baseline going forward. You already knew, okay, I'm not dealing with a BSA or not. So that was the number one question we asked people, did you lie? And guess what? When interviewing criminals, you go, okay, but then of course come life changing experience. That's a good one. It will tell you a lot about their personality. It will tell you, okay, I mean, how they see the world, because I'm not kidding. Okay, I have people.
Ray Yepes [00:39:33]:
I asked that question, okay, tell me about a life changing experience. I remember, okay, one time, okay, and they will mention something stupid, Joe. I mean, they will come up and say, I remember one time, okay, that I had an accident, my car was.
Ray Yepes [00:39:45]:
Stolen, and that changed my life forever.
Ray Yepes [00:39:47]:
And go again. For that person. Maybe it was shocking, but it tells you a lot of the perspective of the person. Obviously, you haven't lived very much, because if that's the biggest, most shocking thing, okay, that changed your life experience, okay, has been minimal or you are only focused on the material things. And then of course, that bothered you because the cost of the vehicle. So it's interesting to see what people are going to respond, okay. To that question. It will tell you their maturity level, but more importantly for me, it will tell you, are they people, okay, that can have a heart, live with a heart, be a human factor.
Ray Yepes [00:40:27]:
That question will answer that because depending on the answer, you're going to get a good feel and say, oh, this is a great human being. This is somebody I would definitely want in my team. Because that's another thing, Joe, I can give you the smartest person right now. And if this person did not work well with you, it's useless to you.
Ray Yepes [00:40:45]:
And your team, even though he can.
Ray Yepes [00:40:47]:
Have all the certifications, all the degrees.
Ray Yepes [00:40:49]:
So you need to know emotionally and.
Ray Yepes [00:40:52]:
Personally, will this person be a good fit for my culture before you bring them in? So that's one question to me, okay. Another question I have asked in the past, I would ever guess, okay, I mean, if you told the I did this, and some people will come up and say, oh, God, I was a sailor. And you go, what? And now you decide I was a midwife, or they will come up, okay. With things, okay. That definitely you would not expect for coming. And those are great questions. Tell me something that nobody would ever guess about you. So now I'm going to ask you this, Joe.
Ray Yepes [00:41:24]:
Do you lie?
Joe Toste [00:41:25]:
Oh, do I lied today? Can I tell you?
Ray Yepes [00:41:27]:
Sure, go for it.
Joe Toste [00:41:29]:
Can I tell you what I lied about? So I went to get coffee with my wife at handlebar coffee. And there's a sign that's like, hey, 15 minutes parking. And my wife's. If we get lattes, it's going to be more than 15 minutes. And I was like, don't worry about it. We'll just lie. The parking people. Don't worry about it going to happen.
Ray Yepes [00:41:46]:
I'm guilty.
Joe Toste [00:41:47]:
I'm guilty. I really wanted the coffee. It's going to happen. There's all kinds of funny stuff I do.
Ray Yepes [00:41:54]:
It's normal. I mean, I'll give you an example. I remember my daughter was seven years old, okay. And one of the cats, okay. Was really sick, okay. We had a cat and we took the cat, okay, to a vet, okay. And the cat had cancer. And the vet said, okay, I highly.
Ray Yepes [00:42:07]:
Recommend you don't ask the cat.
Ray Yepes [00:42:08]:
So, of course, I told my wife and daughter, go wait in the car. I stay with the cat. Died in my arms when I come out, okay. My daughter asked, where is the cat? I said, oh, they're going to leave her for the week in there. You know what I mean? Observation just to see if her health improves. I just didn't have the heart to talk about that.
Ray Yepes [00:42:25]:
I wanted to first get used to.
Ray Yepes [00:42:28]:
Not being with the cat for about a week. And then that was a bit, okay. A week later, I say, hey, baby, I just heard from the bed. Unfortunately, the cat died. I didn't have the heart to tell her, okay? I just used the knife and killed the cat.
Ray Yepes [00:42:38]:
I could.
Ray Yepes [00:42:39]:
Whatever the reasons are, we would human nature. I mean, we lie, okay, about goofy little things, but to me that was almost like an icebreaker.
Joe Toste [00:42:50]:
Oh, yeah. Actually, I got a great one. So for those who have kids, if you're a parent out there, you learn really quickly between what you say and what you do. Because the kids, when they start to get old enough, they start to call you out on it. It's probably the ultimate where you're like, okay, now I just said that and I did something else. Now they think I'm lying the entire time. And then you have to reconcile with, this kid's going to hold me accountable. That's actually a really funny one.
Joe Toste [00:43:20]:
So if you're ever in the interview process and you're with someone's kids, you could ask them, hey, what's your dad or mom? What do they lie about?
Ray Yepes [00:43:28]:
Think about this for a second, Joe. First of all, the more people lie, okay, this is a correlation I made, okay? Throughout the years. Pay attention to the lie, the unhappier they are. Now. Think of. Gandhi used to say, the trick to happiness is you want to be happy. Gandhi used to say, you have to.
Ray Yepes [00:43:46]:
Align your words, your thoughts and your actions.
Ray Yepes [00:43:51]:
They have to be in perfect harmony. Think about how deep, okay, that is, how many times, okay, we say something that inside of us, we don't think, okay.
Ray Yepes [00:44:01]:
Or agree with it, or do something.
Ray Yepes [00:44:03]:
Okay, that we don't think, okay. Or even say. So if you can have your words, your thoughts, and your action perfect alignment, you're going to reach to say, try to do that daily.
Ray Yepes [00:44:15]:
If I can?
Joe Toste [00:44:16]:
Yeah. You admit you're a work in progress. So am I. We're going to end up with this. We're going to end with leading with the heart. You're going to be able to have a much better team, better culture. I love this conversation we had today. Ray, where can people find you at? What's your favorite spot, LinkedIn or Twitter? Where are you kind of most active?
Ray Yepes [00:44:34]:
As important as it sounds, I don't have any social media, not even LinkedIn. And the reason for that is I used to testify so often. I mean, I testified in federal and civil courts in my career. So that was the first spot, basically. First spot. Okay. I mean, the opposing counsel would go discredit you, basically. So I never had any of those.
Ray Yepes [00:44:57]:
Facebook, WhatsApp, nothing. Okay. That is even social media related again. So if people want to reach out to, they can reach out. Okay. At first name, last name together.
Joe Toste [00:45:09]:
Awesome. And you can subscribe and follow the tech tables podcast for when Ray comes out. Ray, this is awesome. Thank you for coming on techtables. I really appreciate your podcast.
Ray Yepes [00:45:18]:
And truly, out of all the podcasts out there, I believe you have the best one on it. Not because I'm part of it.
Ray Yepes [00:45:24]:
You have the best one and you.
Ray Yepes [00:45:25]:
Have some good Navy seals out there. I'm telling you, you have some very smart and talented people and you have done a fantastic job. Sir.
Joe Toste [00:45:34]:
Believe me, I just asked the questions. Everyone else still is in the great conversations. So thank you, Ray. I really appreciate it.
Ray Yepes [00:45:42]:
Thank you, sir.
Joe Toste [00:45:43]:
You're listening to the public sector show by techtables, a podcast dedicated to sharing human centric stories from CIOs and technology leaders across cities, counties, state and federal agencies. Joining in the conversation and touching the hearts and minds of leaders across technology today, from mission driven leadership to cloud AI to cybersecurity, workforce challenges, and more. Never miss insights from peers and vendor partners across the public sector. And to make sure you never miss an episode, head over to Techtables.com and drop an email to subscribe. New podcast episodes come out every Tuesday and Thursday, along with weekly behind the mic newsletter and one of today's podcast sponsors is Techtables plus, an engaging new community where you can have early access to never before released episodes, early access to live event recordings, early access to weekly three interesting learnings, early access to live event ticket purchases, no episode ads and more, plus three extra special bonuses when you sign up today bonus number one, access to the CEO show bonus number two, access to the higher Ed show and bonus number three, access us to the digital show. Join techtables plus today. As always, thank you for supporting the techtables network.
CISO, State of Colorado
Ray Yepes is the former Chief Information Security Officer for the State of Colorado Governor's Office of Information Technology. Before his current role, Ray served as the CISO for the Texas Department of Family and Protective Services, the third largest agency in the Lone Star State. Ray holds a Master of Science in criminal justice and a Bachelor of Science in computer science from Sam Houston State University.