Oct 6, 2024
Episode Description
In this conversation, Ron Leplae, a CISO and security advisor, shares his extensive experience in cybersecurity, discussing the evolving landscape of threats, the importance of user awareness, and the role of AI in security. He emphasizes the need for continuous learning and adaptation in the field, as well as the significance of balancing security measures with user trust and understanding. Ron also highlights the challenges faced by security professionals today and offers insights for those looking to enter the field.
Watch On YouTube
intro, I cut some of the parts of the, about the company out, but cause it's more like about you, but just like two sentences and then we get into the questions. So, hi everyone. Welcome to the Hands on CESA podcast. My name is Adi and today we'll be talking to Ron Lepley who works in the security advisory practice of Seheka.
Ron acts as a CISO for several of their customers as part of the CISO Office of Service, which is super interesting. And we haven't had anyone like that on the show yet. So I'm really excited. Ron, how are you doing today?
Ron Leplae (00:40.268)
Hi Adi, I'm doing fine, busy busy, I'm happy to be in your podcast and to have a conversation.
Adi (00:47.604)
Amazing. So before anything else, how did you get to the point of basically being a CISO of multiple companies?
Ron Leplae (00:56.212)
Well, my career started quite a bit of time some time ago and I started in the payment industry, more precisely remote payment. So late 90s we felt there was a need to develop a product for being able to pay over the internet and we were kind of a pioneer. And when you do payments and specifically on the internet,
in the same phrase, in the same sentence will come security because people will try to abuse it to all kinds of things. So I've been busy 20 years in the payment industry. I've seen it 360 degrees. I created a company that builds software. I worked at a bank, I worked at a processor. I worked with a large international company doing a point of sale, but also virtual point of sale. So that's...
where a majority of my skills with regards to security have acquired. Since more than two years, I work for Seheka, which is a IT company, 10 ,000 people, international. And in Seheka, I work for the security practice as an advisor. Sometimes I'm an advisor if the customer has a CISO and in certain cases, the customer does not have a CISO, I act as the CISO for the customer.
You explained we have what we call CISO Office as a service. This is an offering where one and more people are offered to the customer, could be complemented with subject matter experts like identity and access management, or it could be engineering. So we can really complement the customer in his needs and his journey, because for me, security is a journey. You start at point A and you go towards point B, you improve it.
we accompany the customer in his security journey to become more cyber resilient. That's what we do.
Adi (02:51.518)
Amazing. And what does your day to day look like now?
Ron Leplae (02:55.744)
My day -to -day occupancy can contain meetings, it can contain making a reporting. My personal favorite is to show the needle and to show that the needle is moving in the right direction. We can't fix everything the same day, but constant, constant improving, that's part of my job. Setting out priorities to security teams, give input to SecOps teams.
Yeah, I drink, I eat, I live in security the whole day.
Adi (03:31.168)
That's perfect. How do you keep updated in this field that is changing so fast and there's so many things going on all the time?
Ron Leplae (03:39.54)
It's constant study. Constant study. I'm a little bit in an advantage where I work for several customers, which sometimes means you learn something at one customer and you can reuse it with another customer. Of course, respecting all privacy and discretionary, but having a number of customers is an advantage in my role compared to if you're a CISO for one big customer, you have to...
Sometimes invent everything yourself, but I have the advantage to learn on many, many accounts and to bring to other customers an idea which might be from one customer and vice versa. I think that security is not a competitive item. It's a burden. Everybody has to do security and best practices, like we call it in security, is something you can share.
Adi (04:35.528)
Interesting. You say now it's it's a burden. Like how in touch are you with the people working in the different companies you advise slash see so for like do you do a lot of education things for the company or is it all more in the technical? Interesting.
Ron Leplae (04:51.38)
Absolutely. It's all. Of course, awareness is very, very important. The next month, October, will be cybersecurity month. Many, companies, they constantly need to create awareness for the users. Also, it's important to educate engineering, to sometimes explain why are certain things important.
So education is definitely a very, very important pillar. It's not all about I will buy tool ABC and bang, the problem is solved.
Adi (05:30.238)
Interesting. How do you see the balance between on the one hand, putting controls, like everything, making it as hard as possible to accidentally make a mistake. And on the other hand, creating a culture that is security aware that if someone gets something weird over email or something doesn't work right, they know to tell you and to check it.
Ron Leplae (05:53.932)
Both go hand in hand. think awareness is one of, I would say, low -hanging fruits. It doesn't necessarily cost a lot of money, it costs a bit of time. But the people are actually the eyes of the organization. And especially because security landscape is constantly changing, it's important that a human will always be smarter than tooling.
So if a human sees something which looks like a bit odd, we as security people, want to be informed about that and then you can take mitigating controls to contain that problem. So I would say controls and people that go hand in hand, you also have what they call process and people. definitely for me, the people are very important. And I would also say that...
as a CISO or as a security advisor, we're not there to with the finger pointing to the user, don't do this. We'd rather prefer that the user says, I was stupid. I clicked on this link and that he tells it and we can take measures and we can, first thing we will do, will check if other users got the same email. So it's important that between security and the users, is trust that the user can always say, there's
I will tell it to security rather than, they will be mad or they will be angry or they will take actions against me. No, that's not our role.
Adi (07:28.264)
Interesting. Have you ever felt like you're the bad cop or are you able to stay away from that title sort of?
Ron Leplae (07:35.714)
I don't feel the bad cop, but there is sometimes you can run into situations where the user says I feel like too restricted and the user it could be an admin where we put certain playing rules, basic playing rules or it could be a user that wants to do something that we block because for privacy or for compliance reasons and for me it's very important to explain to the users and to the engineering
why certain things are protected in a certain way, that always has a reason. Why you need to change your password, why it's not a good idea to use everywhere the same password. If you explain those things to people, they understand it. And I think that's more important than just putting controls in place, which people will sometimes...
find invasive or restricting their freedom to do certain things.
Adi (08:38.558)
Interesting. I'm assuming since you've been in the field for a while, have you ever come across a bad incident in one of the, without any names or companies, obviously, did you ever have a bad incident in a company you working in?
Ron Leplae (08:56.16)
We've seen all the time incidents. Personally, I have never been involved in a large scale ransomware, but I do know people who lived that and explained and tell the story in detail. And most of those people, say, I never want to live that again, because it's a horror situation to be in.
you're called out of your bed in the middle of the night and that all the computers are encrypted. But personally, haven't lived that, but regular incidents, it happens all the time.
Adi (09:35.41)
interesting. What do you do when that's the situation when things are on fire? Like from what you've heard the people who are around you when it's like that moment of things are happening now.
Ron Leplae (09:49.44)
Yeah, but as a matter of fact, everything starts before because if it happens and you need to scramble to think what you will do, you're dead in the water. Everything starts before. You need to have a plan. If that will ever happen, what will we do? And that plan could contain many things. It will contain what will you do? Who needs to be contacted? And it can be as basic as
How will we communicate? Because if for example, your infrastructure is victim of ransomware, you won't be able to send an email to your colleagues. You won't be able to do a teams. So in a good plan, you will also foresee out of bound communication. You will have lists of people who to call. You will have a run book of who takes what action. So well thought and
tested incident handling procedure is very, important. I would say that's more important than what you will do when it happens. You just take the plan and you follow the plan.
Adi (10:58.792)
Interesting. What do you think is something that people outside security don't necessarily understand about it?
Ron Leplae (11:08.018)
I think but I always try to explain to people why certain things are in place. Like why should you not use the same password on all sites you're using? Very simple. Regularly it happens that a site is compromised and then that hacker has stolen your email and your password. First thing they will do is try if that email and that password works on another site. So if you...
change or use different passwords or a password manager or other mechanisms you will not be victim for that and for many many other security measures we take there is a reason why is your hard disk encrypted because if somebody steals it or you lose your equipment that people cannot access the data and the programs that is on the machine so many things in or I would say everything we do in security it has a reason it's not just to
make it more difficult or to spend money. No, we do things to address certain risks. Everything starts with a risk. For me, it's also very important to talk to the business. The business needs to give input what are the risks. And then we as security will take measures, actions to mitigate, limit or remove or reduce those risks.
Adi (12:29.278)
Interesting. How do you see the balance between the business and communicating what the risk is, what the needs of just what you need as a security team and the actual security?
Ron Leplae (12:42.228)
As a CISO, you want to spend the budget, the bucks you get efficiently. And actually you always start from a risk inventory. You will say, what are the risks? Which risks do I want to reduce? Can I eradicate the risk? Maybe not, but maybe you can reduce it. And then if the company feels comfortable that this is an acceptable risk, so we don't have to remove all the risks.
It's acceptable, it's okay. But very important is to have an inventory that you know your risk, that you know your risk, you communicate it with the senior management and if it's accepted, it's okay. But for me, the business comes first and the business needs to, in collaboration, the security needs to explain to the business what are the risks and then together we take action to mitigate those risks that are not acceptable. And for different companies,
the risk appetite can be different and also the crown jewels will be different depending on what is the activity of your company. So it's important as security person to understand the business and to see which are the important systems that really are critical and that protection will be in relation to the criticality of the system.
Adi (14:06.622)
Interesting. Do you ever remember making a decision that in retrospect wasn't necessarily the best thing to do in terms of security?
Ron Leplae (14:17.26)
Something which is dangerous is jumping to conclusions to say, this I've seen it. That's that. And I think every incident or every thing that happens to always stay unbiased to thoroughly check and make the right decision. think that's important.
Adi (14:37.428)
What would you say is the biggest challenge in cybersecurity right now?
Ron Leplae (14:42.836)
I think keeping up with the speed, the speed of threats that change, technology that change, definitely the last years that drum beat has definitely gone up. Also, if you look to patch Tuesday when Microsoft publishes all the new vulnerabilities that they have addressed in the new releases, you clearly see that the frequency is going up.
So that's a challenge to keep up with vulnerabilities that come out. Also the attacks, they become more sophisticated. Even take a simple example, you have phishing. Phishing becomes more and more more more intelligent. The time when you got an email coming out of a country with poor language and you could read.
five mistakes in the text and you say, this is not PayPal, but somebody pretending to be PayPal. That era is definitely behind us today. You have perfectly written emails, emails with the law host of the companies with a name. You look it up on LinkedIn, that person really exists, but it's a threat actor impersonating somebody. And really last thing we start to see is deep fake.
where the CEO of a company is calling somebody on WhatsApp. You see the person talking, you hear the voice, but with artificial intelligence, it's completely generated and difficult to make the difference between a fake video call and a real video call. So this again boils down to awareness to explain to users, this is there and not...
AI will be there in two years time and then it, no, today we start to see that today. So telling that to the user is very, very important.
Adi (16:44.426)
How do you feel about AI?
Ron Leplae (16:47.834)
AI comes with a lot of challenges, a lot of challenges, but it is there and it will not go away. I will give you one example that I often explain to people and when you explain then they say, wow, I didn't thought about that. One of the things I tell customers or even people I meet in my social life, I say, everybody knows chat GPT, great tool, of course, but you need to be careful. And then I give the following example.
or a large company, you just had a board meeting and you discussed a potential takeover target. Meeting done, you discussed several candidates and then the secretary, she needs to translate the minutes of the board meeting. What's more easy than just put it in chat .gpt and it will mock up and embellish the text a little bit. But what you just now did, you learned
ChatGPT, what are your targets? So the next user, I'm exaggerating a little bit, but people understand it then. The next user that is saying company ABC, what would be potential takeover candidates? ChatGPT will answer it. You just thought the answer to the question. So, and if I explain that to people, say, wow, wow, that's a good one. I didn't think that through. So do you need to buy expensive things to get this under control? No.
Again, awareness, we need to explain to users, please don't put confidential stuff in a generative AI tool because that confidential information, it's out of your control. It's potentially there now in the public. And that's an example of AI. And AI comes with other complications. There are no tools in office, copilot. If, for example, the company
did not protect very well all the information that is available on SharePoint, on drives. You let Co -Pilot run on it. It will assemble, index all those information. And an example, I give them to people. If, for example, you ask them, what is the salary of our president? If somewhere there was a file with that salary in, Co -Pilot will very brilliantly tell you the salary of the president is this amount.
Ron Leplae (19:13.218)
So, and you can, that's an example where people immediately see the case, but could be other confidential information where you don't want the whole company to have access to that data. And today it might be not well protected on a drive share, on a share point with the proliferation of AI tools. This information can be easily found, more easily found than before. So that's an example of, and there are many more. I have seen a case.
where there was a logistic company, they had entered a chatbot on their website and somebody outside a user, trained that chatbot to curse and they had to take it away because every time a customer asked a question that chatbot...
Ron Leplae (20:03.946)
exited all kind of profan language. So that's an example. Yeah. If you didn't think that through and somebody finds this a good joke, that could be the result of AI.
Adi (20:15.69)
Wow, that's very interesting and unfortunate. What do you think? When you look at the types of risks that are introduced now that AI is just growing, do you think the upside could?
Adi (20:41.568)
How do I word this question? Is the downside much more significant than the upside in terms of AI, in your opinion, to security?
Ron Leplae (20:50.092)
For me, AI is just an evolution. It's an evolution that you can't turn back. I think the regulatory bodies like in Europe, we have made some regulation about how to use AI, which is good. We need some regulation and there are some weaknesses. We will go through the vibes. It will be secured. People think about it like if you are a big bank and you want to do AI, you might...
want your own local instance of a large language model. So it will take time for AI to be fully mature with regards to security because people sometimes run before the facts. They haven't taught it really true. But we will get there. will get there. But I think where the imbalance is today more visible, I'm pretty confident that threat actors are
exploiting AI to the fullest to find all kinds of vulnerabilities at a monster speed never seen before. And it will be used also in the protection and we do see cool pilot in Defender. see CrowdStrike implementing AI, but that is, I think slower than what the threat actors are deploying. So we kind of see more exploiting AI for the bad things than for the good things. That I think, but it will take time. We will catch up and it will take time.
Adi (22:19.882)
Interesting. What do you think is one blind spot that most see cells or a lot of see cells have that they should definitely pay more attention to?
Ron Leplae (22:30.146)
I have seen situations where, for example, there is a policy. will give a simple example. Password policy. Yes, the password needs to be changed every 90 days. The password needs to be 12 characters. And then you check the reality. It's not enforced. So making rules only on paper is a pitfall. You need to also kind of
do what you say. If you say on paper, this is what we will do, you need to do it also. I think that's sometimes a blind spot where we need some attention.
Adi (23:12.628)
And just think, do you think that companies tend to think they're more secure than they actually are? Or do you think that the companies that don't do these things sort of know they don't do it?
Ron Leplae (23:24.034)
It depends. In Europe, have a lot of regulatory frameworks that come out. One example is NIST 2. Another one is DORA. People must do assessments and those assessments make it visible where we're lacking areas of the necessary level of maturity. And for me, also security, it's a journey. You're never finished.
And what is today acceptable in the next year, you will have to do it a bit stronger and better.
Adi (24:03.41)
Interesting. Would you say that security overall is a stressful job?
Ron Leplae (24:13.866)
It's a bit, I think, an addiction if you really like security and definitely the recent years, the speed and all the new tech that comes out. The moment you experience it at being stressful, then it's probably not fun. But if you like the adrenaline of things happening, it's a really, really, really sweet spot to be working in. And we've seen a lot of new things coming out, new attack vectors.
And the example is 10 years ago you get an email from PayPal with five language mistakes, you immediately catch it. Today you get very very sophisticated phishing. We keep warning people it's not because you know Adi and you get an email from Adi that it comes from Adi. Maybe the email box from Adi is hacked and somebody from...
That mailbox is sending a perfectly email with the signature and everything on top of it. So it's constantly evolving and it becomes more and more more sophisticated. Also the tooling, luckily the tooling is evolving, not only with the protection, but you see certain tooling that will give advice what you can do to improve the situation. One example is Microsoft Defender with the secure score. You have immediately a list of I can do this, I can do that.
for improvements and there is even I would say a little bit of gamification in it because I see engineers looking, I can win five points if I implement this measure. The reason why it gets five points is because it's an important measure. And luckily these tools, the proliferation of those tools make it accessible for everybody to have like a baseline security, which starts to be okay. Yeah.
Adi (26:07.016)
Interesting. Do you think that the fact that you sort of have to be on like very ready for anything to happen, especially in your case, we were working with a few companies. It's like really it can come at any time. Do you, is that something that's on your mind often or is it more sort of you've accepted the level of
Ron Leplae (26:22.752)
Anytime.Adi (26:37.162)Being ready?
Ron Leplae (26:38.41)
I would even say that it's a bit of an addiction, an addiction to that variety of things happening and the drill of it's, yeah. I personally, if you would give me the choice to go back to one customer and have like a life where like a train, I know I prefer the situation where there is more activity and...
where you learn more things and are exposed to a lot more things. That's definitely... But that's my personal preference. I'm sure that maybe other people say, prefer a more slower pace.
Adi (27:19.176)
Interesting. Did you know that about yourself before you got into this role? What made you do it?
Ron Leplae (27:22.976)
No, no, no. That's something you roll into it and you start with one customer, then you do two, three, and before you know, you're exposed to a broad variety of situations, which is, I like that, I like that. So was it a conscious decision? No, it grew.
Adi (27:45.298)
Interesting. What do you think changed or how did the security change over the past few years? Like, what would you say looks different?
Ron Leplae (27:54.646)
sophistication, tooling. There are now multiple vendors that offer a broad suite of tooling for patching, for vulnerability scanning. Microsoft is a big player. have CrowdStrike is a big player. Palo Alto is a big player. And we, as security advisors, we try to be
technology agnostic. You need to do a job, need to... vulnerability scanning means that there is software which needs to be patched. You want to make an inventory of how bad is it, where did I forget to patch a machine. And then you will apply a risk -based approach, like the biggest risk you want to reduce it. And there are many tools.
There has been a time in the past where you did it manually, make an inventory of all the software. Today there is tooling that will facilitate you. So that's definitely the tooling has dramatically grown, also become more mature.
Adi (29:03.614)
Interesting. And do you see any change in the future coming? Like what is the field going to look like in a few years?
Ron Leplae (29:11.962)
I think that we're just preparing for more and faster and bigger and more of the same but faster.
Adi (29:23.614)
Interesting. Do you think you'd say the same before AI became such a thing?
Ron Leplae (29:30.09)
I think AI is definitely a contributor to more and faster and more sophisticated, like whether it's pure software abuse and malware. I'm sure there is malware generated by AI. is vulnerabilities being detected by AI. But we will catch up with the protection. Certain vendors, Microsoft does use AI, CrowdStrike does use AI, but
There is a catch up to do on the protection side, I think. We will see evolving that in the future.
Adi (30:07.446)
Is there anything that keeps you up at night? On the see -saw level?
Ron Leplae (30:14.658)
you're up at night, no, I sleep very well. Sometimes I would like to have days of 72 hours. I could learn, do more, but if the day is finished, then the next day starts. So it is what it is.
Adi (30:30.356)
Do you have a team that works with you?
Ron Leplae (30:32.224)
Yes, yes, yes.Adi (30:35.24)
Interesting. Do you have different roles or is it interchangeable?
Ron Leplae (30:39.614)
We are interchangeable. If somebody goes on holiday, another takes over and we tend to have like specialties and somebody is specializing in certain things. have a general broad servicing and then we have the specials like you can't be an expert in everything. You divide the expertise and, but in general, the broad topics, everybody can cover it. And then you have people who tend to be a little bit.
also from personal choice they have their favorite topics to work on yes.
Adi (31:15.849)Interesting.
Ron Leplae (31:16.194)
But security is not a one man show, this is a Like also in Seheka we have a SOC, which is a separate team. SOC means Security Operations Center. They're monitoring customer infra 24 by seven around the clock. And I think in the current security landscape, if you're a bit of a company, you need this kind of service because...
There is so much evil out there that we'll try to buy email, buy phishing, buy malware. And also sometimes, unfortunately, the customers, they are installing software, which is not good. That contains malware and that needs to be contained. So security is definitely, it's teamwork.
Adi (32:05.736)
Interesting. And if you're talking to someone who's looking to advance in security or get into security, what would be your advice to them?
Ron Leplae (32:15.348)
Learn, learn, learn. You have technical security, you have also more governance where you put rules, where you put structure. security is not one fit all. And I think there is also like, how would you say, a career path. You can start as an engineer doing admin, then you can become a SecOps engineer, you can become an advisor.
a junior advisor, a senior advisor, there is room in security to make a career. And you can't know everything tomorrow, but by learning on the job, by reading, by studying, I would dare to say that security is probably one of the areas in IT where you constantly need to study, but that's valid also for other areas where technology, but if you...
want to go into IT and in security and you say I just graduate and now I'm go off to a job and just work nine to five that's not gonna fly you you're up for continuous education and if you like that that's interesting because every day is another day it's it doesn't get boring very quickly on the contrary
Adi (33:39.592)
So you're saying that people who go into security, it's, you're learning all the time. You don't really start working and.
Ron Leplae (33:50.24)
Yeah. And also, yeah, incidents happen on how can you prevent it? How can you improve it? Like security is constantly improving. I will make a comparison. Like the very first car that was made, didn't have seat belts. Today, a car, the regulatory body will say, this car doesn't have seat belts. It cannot come on the road. It's a bit the same with security. In the past, security was a bolt on
to something to make it secure. Today, security is embedded more and more and more into the platforms, into the tooling, into the software. And that's an evolution. And it comes with all the possible configuration. You need to know what you are configuring, how you are configuring. I think we made a lot of progression in where software out of the box has a decent security level. I remember 20 years ago, you installed
a SQL server and it had a standard admin and a password. Today, that's no longer the case. need to, mean, vendors have learned out of that, that secure by design is a principle and it has a reason. Again, it has a reason. Why? Because otherwise you had thousands of people with a router at home and it had a standard username and a password. It's not secure.
Now vendors are obliged, there is also legislation around that. That's not a good practice. Every device needs to have another username and another password and you need to explain it to the user or even force the user to change that password. So that's how the world has evolved. How I have seen it evolving over the last 20 years. And there's still room to evolve. It's a journey.
Adi (35:42.312)
Interesting. So I have one last question. And before that, thank you so much for your time. I think it's really interesting hearing from someone. A lot of times I hear from people who do see the job as more stressful and talk about like handling stress. And it's always so refreshing to see someone who has a, like you look at it from the complete opposite side. Like this is the exciting part. This is the addiction to say.
Ron Leplae (36:07.649)
Yeah. Yeah.Adi (36:08.976)
so thank you so much for showing this side. my last question relates to that. So you said that when you join this role, you didn't know you were going to like it this much, like the, you know, everything at the same time. What do you think is your favorite part about cybersecurity in general? Like what, what are you really happy to do?
Ron Leplae (36:10.871)
You're welcome.
Ron Leplae (36:24.012)
Mm -hmm.
Ron Leplae (36:36.34)
I'm happy to improve situations at customer to measure it and to show that it has improved because with modern tooling you can kind of, it's like a thermometer where you take the temperature of the water. For example, secure score, it's an objective. You can fiddle with it. And if over a year time you can substantially improve that score, you can show it to the customer. One, have...
our ducks under control here and we improve it and we still have ideas how to improve it further in the future. That gives a lot of satisfaction.
Adi (37:16.202)
Thank you so much for your time.
Ron Leplae (37:21.634)
You're welcome.