Leon Ravenna is the Chief Information Security Officer & Chief Information Officer for Kar Global, a Fortune 1000 company headquartered in the Indianapolis suburb of Carmel, Indiana, with over 5,000 employees across the United States, Canada, Mexico, the United Kingdom and Europe.
Prior to Kar, Leon worked at Interactive Intellgence as well as other companies like Irwin Financial, First Financial, Service Link, Millenium Pharma, Heartland ECSI.
Aaron, Cody, and Leon talk about prioritization in cybersecurity, picking "hills to die on", staffing and retention, and more.
Leon Ravenna is the Chief Information Security Officer & Chief Information Officer for Kar Global, a Fortune 1000 company headquartered in the Indianapolis suburb of Carmel, Indiana, with over 5,000 employees across the United States, Canada, Mexico, the United Kingdom and Europe.
Prior to Kar, Leon worked at Interactive Intellgence as well as other companies like Irwin Financial, First Financial, Service Link, Millenium Pharma, Heartland ECSI.
Aaron, Cody, and Leon talk about prioritization in cybersecurity, picking "hills to die on", staffing and retention, and more.
Thanks for tuning in to Simply Solving Cyber. I'm Aaron Pritz. And I'm Cody Rivers. And today we're here with Leon Ravenna, CISO by background and owning IT and infrastructure and some of the other capabilities as well. But why don't you introduce yourself and then we'll dive right into the discussion. Sure.
Leon:So happy to be here. Um, I'm Leon River. I have, uh, I've been doing technology now for 36 years and uh, so way, way, way long. I know I look like 29 it is what it is. so I've been doing technology since the mid eighties. I grew up doing endpoint stuff. I was a master CNA I was UNIX admin. And for those of you that are young, you don't know what a master CNA is, but it was in the net where were a long, long, long time ago. And uh, done a lot of technology built data centers. Started doing security about 2003, and unfortunately I was the guy that didn't step back fast enough when we were asked who wanted it. And uh, so started doing that kind of in, in, in both roles. Did a lot of technology up through about 2014, came into interactive intelligence to run security and so I ran global security privacy for and then moved to KAR Global about six years ago. And I've been doing, global CISO role, tactical privacy, so some of the work behind privacy, a lot of compliance. Then I picked up the CIO role, a little over a year ago, and that includes everything in IT except for development. and for data center compute.
Aaron:A lot of people that came up early in security mentioned kind of didn't get outta the way fast enough. When did it con, when did it convert from you, from a Hey, I was there. I did it to more of a passion, like I'm all in on this.
Leon:Yeah. You know, It's funny, the uh, I originally wanted to go in college to University of Minnesota and studied um, law enforcement. I wanted to go secret service and uh, ended up going to a small private school in Indiana that had a great computer science program. And uh, so it's always been kind of in the, the background of passion, but. You know, in the, In the mid two thousands. Okay. Started, Started being a lot of
Aaron:focus. Awesome. And uh, kind of owning the CIO role. And um, a lot of our industry has have talked a lot you know, should it be separate, should it be combined? I think it uh, for me, the answer a lot of times is it depends on you know, on the person, on the company, on the broader buy-in. Yeah. But give me your take on that, how you know, how have you uh, leaned into that role and, and what do you think the right mix is
Leon:It's a great question and I think it's a it's really balancing the voices in my head they consistently argue. But come at things with a security first view. It's, it helps as we're starting to think about how we do new things, it drives more of the, the IT folks that I have reporting into. To think about security. You know, the, the, the classic, The classic piece there is I'm trying to shut the pipes down from a security standpoint, open'em up from an IT standpoint. So it's striking that balance. There's, I know there's been a lot of discussion over time about where should the CISO report and stuff like that uh, reports the cio and it really is in, in a lot of cases. And that's changing, but having both roles kind of gives you focus into being able to help on both sides, to do things in a balanced approach.
Aaron:Okay. Do you find yourself with broader reach owning both
Leon:If you think about uptime the example that I use a lot is from a, from an IT standpoint, I want five nine s. Okay. From a security standpoint, five, nine sucks. Yeah. Okay. If you think about it, the if I'm doing five nine s and I'm trying to protect a hundred million emails a year, well that means a thousand. Get through. Yep. Okay. So the numbers actually have to be a lot tighter on the security side, and so it, having a background in both helps drive it. I think if you came into it and say you grew up on say the GRC side and you're a CISO you're probably not gonna have as much reach into some of the IT things by virtue of having done technology for so long. I was doing software delivery in the mid nineties on Windows three, one and we're doing
Aaron:you're doing a lot of Windows three one today? Yeah. Yeah. No, I'm doing a lot of software
Leon:delivery. Okay. You know, The, realistically my job is again, to strike a balance between what we're doing and I look at uptime from a couple different, different perspectives. Very cool. I would too. And just
Cody:take a step back too, maybe give the listeners just a brief overview of what KAR Global does so they can understand what a task you have at, at your hands. Sure. To
Leon:running both sides. Yeah. So KAR Global is a I think it's Fortune 900 now. When I started it was Fortune High six. We spun off a billion dollar company in 2019. That company should be acquired next week. Should go through for$7.2 billion. So pretty good shareholder transaction. We also sold our biggest business unit last year to Carvana so I have, it's kinda interesting, I have 5,000 people that I take care for, part of KAR. But I also take care of 5,000 people that are still on my network from that transaction. So what KAR does is in the vehicle logistics space, we do a lot of things at the end of a lease or the selling cars to dealers. do things like inspect vehicles. We sell vehicles on behalf. manufacturers. We do, we cut keys or the key fobs, things like that. We do auto inspections. We do short term leasing for for dealers and things like that. I think the number is we touched in 19, it's just a few years ago, but about 3 million vehicles. Okay. Globally, and we have facility in US Canada. In Europe I have UK and Brussels, and then a couple small offices in throughout EU I have dev teams around the world, so Excellent.
Aaron:From a risk standpoint in that sector. And it's fairly common in, in auto to have leasing part of a lot of large companies. But I would say it's some of the traditional financial management risks. And then manufacturing or any, anything on the, like the delivery or operational side that you have to
Leon:with, there's, we don't do a lot of manufacturing, but we do a lot of IoT. One of the things that, that we had done prior to Covid. is we do real time video streaming of auctions. And so there's a lot of IoT devices there. Yep. And and so we take care of that. We do, we pivoted in during covid in about two weeks from selling about half of our vehicles online to a hundred percent of the vehicles online. Hello Smokes.
Aaron:So in some of our prep discussions uh, we talked about uh, two, two things. And they're probably two separate topics, but you'd mentioned the term"picking your hill to die on." Yeah. And I think that's important as a CISO. And then second, but related topic is prioritization. As I was on the corporate side, and as now I work with a lot of clients, I'm always telling my key customers, the leaders, CISOs, whatever level is. The biggest enemy of success in cybersecurity is not prioritizing enough and spreading yourself too thin, and both from a burnout and from a human capability and ability to achieve projects.,so what are your thoughts on, let's start with the"picking your hill to die on" and maybe some good stories that kind of have helped have helped you contemplate that or refine your, your picking
Leon:One of the, one of the things that I've told people for a long time, and in, in my role, whether it was heavy infrastructure or security, you may be the guy that, that is at fault for something a system's down. There's a breach, things like that. And I've told people forever, I have to be prepared for every day to be my last because in, in a lot of ways you may be the scapegoat, you may have done something wrong not intentional you, you missed something. I harken back to uh, the SolarWinds CISO and people were going after him because he missed a bad password. I've got 5,000 people with lots of systems and we have controls in place for that, but the possibility exists and you, you may miss something. So always being prepared for that and understanding that it's business it's not personal. I think there's things that, as you look at your career, both on things in the, on the IT side and the security side, there's gonna be things that are just the wrong thing to do, that you have to be prepared to for that, to be your last day for there's cases where long long time ago in the 2001 I left a company because they owed a major manufacturer. In the, I think it's seven figures, so well over$10 million and just said, we're not gonna pay it. Oh my gosh. And I resigned the next day. We live in Indianapolis and it's way too small of a town to be tagged with that. Yep. So there there's things where you have to be prepared for I'm exiting I'm, it's interesting. I talked to a a recruiter a few weeks ago and she said, it sounds like you like your job, And I said Why is, why do you say that? She goes, most CISOs hate their job. Yep. And they're desperate to get out. And so we, we talked about that and I said I'm, I'm really thankful for my team who, who is a, a really solid team. Yep. Yeah.
Cody:And one thing I thought about too is that with the, back to the topic of Hill you wanna die on, you've got so many folks with digital transformation, what more access from more devices to more data. And then the CISO hat says, I gotta limit access. Or control. Access. But any, big wins. You got over, over the past you know, six to 12 months in that area, were you able to kind of satisfy both
Leon:sides? Yeah, I think you know, give you an example. One of the things before I moved in the CIO role um, I wanted to update Google on a regular basis. Mm-hmm. Or do Chrome. And, And it was hard and but I explained to folks that every time there's a zero. I'm gonna make you drop everything you do to go fix it. And remarkably, about a month after I became CIO, the endpoint guys came and said, Hey, we figure out how to do it and we can go start to finish 30 minutes from the time that Google drops an update to when we're deploying it. Wow. And they said, if you want it faster than that, we can do that. But we figure 30 minutes is good. Better than most. Yeah. And that's a big win because it just takes. one more thing off the table. Yep. I have some wicked smart folks that, that are, that do a phenomenal job and it's doing things like that to just take some of those risk things off the table.
Aaron:Do you think that the team came to you with the solution once you had the CIO role, or was it just ha happenstance, lucky timing? No
Leon:I think it was more of a hey, this is a good thing for us to do and this is what Leon's gonna And quite frankly, the a lot of the things that we go back to people. From a security standpoint are really trying to make their life easier. Yep. you're, if you build that process that it happens in an automated fashion, you don't really care when Google drops a new zero day and it's gonna happen because it's a browser. So it there's things like that that start to make life just a little bit simpler. And if we can start taking you. one or two of those off every so often. Make life just a tad easier. There's plenty of other things that are coming at us we'll talk about prioritization, but it's take those things off table that are somewhat easy. Yep. And then move on to the bigger things.
Aaron:Yeah. But right. Before we move on to prioritization, do you think that cybersecurity needs more org change management and almost user experience? Cuz I do. Yeah. Your comment resonated to me. If you make it easier, it's. there's less likeliness that somebody's gonna try to bypass a control or to try to work around you. So I see where teams are spending the time making processes, people, technology more accessible, more easy, more clear to know and do the right thing. There's less friction. Has that been your experience as well? Or what are
Leon:your thoughts on that? Yeah, there's the typical picture of a CISO is this doctor, no. Yeah. No, you can't do that. There's no way. Part of my job is to try and enable things. It's being a little bit more flexible on what needs to happen and understanding that at the end of the day, we gotta make money. Yep. So we, we have to transact business the absolute most secure thing is that everything's turned off. You have no customers, you have no people, but you're not making any money. And you have to do it in blocks, but you can still do it. It's it's a constant battle, but trying to make things easier for people. For instance, like MFA We mandate it, but we try and make it as easy as possible. We do a ton of single sign on so people don't have to worry about what's my password for X?
Aaron:Yep. Great points. So yeah let's shift on to prioritization. Across your career, across your CISO roles, where have you seen. Teams the teams that you've led have too much and maybe some examples of where you've had to rationalize both on tech but also on workload.
Leon:Yeah I've never been in a, in an organization where I had all the resources that I wanted, there's things that if I look back at, I was at a company in Pittsburgh about a dozen years ago. And when I walked into work for a former boss, he said here's the 10 things that nobody's ever gotten done. Yep. And we did'em in the first six months. And then, and we, to be perfectly blunt, we didn't ask any questions. We did horrible change management. Um, I remember having a discussion. We had moved 12 locations onto a new Cisco phone system. And we got to our two biggest ones, and I had a call the week before and they said, Hey, we've got 20 operators and what's actually happening here? I said you're not gonna need'em cuz we're dropping in DIDs for everybody. And they're like, oh, okay. And what I found there, as long as things are flawless Yep. There's no questions. And oddly the only two things that didn't work out of that whole rollout was there were two DIDs. that happened to be for the CIO and the CEO that they didn't know about, am I? But they didn't come through. Okay. Yeah. Didn't come through the day that they did. It was about four hours later, but I still got chewed on for not getting those two things done that they didn't know about. And about two weeks later, I was walking by the CEO's office and he screamed my. and I came in and he said, what's with these phones? I'm like what's the problem? He goes, when I'm yelling at somebody, it's like they're sitting right next to me. Okay. Isn't that what you wanted? Yes. Do you need anything else? No. But it's, did he just
Aaron:always talk in a yell and you thought you were getting scolded, but he was actually praising you?
Leon:I think in a kind of a backhanded way but when we look at. Again you're never gonna have the resource, never gonna have the dollars. We do some interesting things. We talk to a lot of early stage startups and so it's helped us maintain a flatter budget Yep. But getting in some of the things that we need to do. And it's a little bit more of a risk on what we're doing. But as an example we were looking at a cloud posture tools two and a half years ago. And the biggest thing I was concerned about was, am I leaking data? Do I have any exposure there? Yeah. And none of the tools really did that. And and we, we looked at a tool and, and that's, that's one of the things they did. And we said you know, I'm, I'm not as worried about can you automatically fix things? But can I get good visibility? Yeah. Right now. and it installed as a role in aws. It was quick to roll out, boom, it was done. And it's been there for two and a half years. Yep. And does this job every day. It's one of the things I check seven days a week without fail. Nice.
Aaron:So for emerging cyber leaders, what are your tips or, or lessons learned on prioritization? Um, How do you help those that haven't been through as many hurdles as you have? Do better at rationalization and picking the right forces.
Leon:You know, The um, I've never, I've never done a, a big fluffy strategy. I have one that says, here's kind of what we, we need to get done in the next year. Here's how we're doing it. More for our cyber insurance carriers than for anything else. But I think the, if you start to look at what are the paths in you're gonna have a path in. That's through your firewalls. You're gonna have a path in that's through your end users. You're gonna have a path in through email. And as you start to look at those paths, what are the most deadly first off? And start to go take care for those I mentioned that we've gotten multiple layers on the email side and there's nothing that's perfect and we use one to catch what the other one doesn't catch. And so I look at it that way from a prioritization standpoint on. What is the next biggest issue that we have? Mm-hmm..And you know, you're, you've got 50 things to choose from and you've got a limited set of people and dollars to go fix it. But where can you get the biggest bang for your buck? And that's what, what we look at. Yeah.
Cody:We had Jeff Ton here um, on the last episode. And he's with you know, with Indiana CIO network. And what would be your advice to CIOs across the US in Indiana particularly right now, that are getting tasked with security or they're looking at their strategy for the next year or objectives and their security focused, and it may not be in their, their core wheelhouse. So what suggestions or what tips would you give them as far as
Leon:tackling that, that role? Yeah, I think it's it's interesting. I saw some stats. There's SEC guidance is gonna come out probably next month, that talks about cybersecurity skills on your board. And there's roughly 9,000 publicly traded companies. There's, I think it's two thirds of the Fortune 500 actually have a CISO in place. Yep. So for those CIOs that are struggling with it it, it's. You need to have kind of a rational conversations with your security leaders on, on what it is that actually gets beyond the bits and bys, the you know, there, there's a language for all of this stuff. And when I start talking to the finance guys, I can't figure out what they're talking about cause they don't understand the language. But it's the CISO's job or the security leader's job to try and explain that in rational terms. And I think for those CIOs That are, and I'll say it bluntly, stuck with that role. Yep. Is start to reach out to people that are you know, in, in your circle. As a CIO and as a CISO, you very rarely have people to talk to. Yep. You know, You can't talk through and say I'm, I'm working on a problem. How do I go fix it? And, And I would strong suggest finding you know, one or two people that, that you can do that with. And I do it for a number of people where you know, Hey, you got a problem, you need to yell at somebody. I've been yelled at my whole life. Call me up, yell for 15 minutes. You go your way. I'll go my way and I'll save that number. But you'll probably talk through how to fix that problem. Yep. At the same time I would strongly recommend go on that route. Yep.
Cody:So moving on to kind of retention and staffing. There's, you see a lot of stuff now you mentioned earlier with CISOs and burnout and moving around. What are some challenges that you're facing? Um, and, And kind of some tips of how you kind of, um, you know, curb that as far as um, retention and, and then as well as just adding, adding new,
Leon:new life and new life blood to the tree. Yeah. So I'll, I'll talk first on my, my security team. Um, At the risk of losing people. I've lost one person in the last two and a half years, and she actually moved on to Lilly. And we brought her in as an intern. She worked through getting her undergrad, got her master's in cyber, and then moved on to a much broader role, which is exactly what we want. Yep. And so we celebrate that. It's not a bad thing. It's a good. You know, the, I, I've tried to help people over the last 30 years and really 25 years in management. If I can help you get to a role that I can't accommodate for you, I'm gonna do that. And so I've done things where it's, I will go talk to people I know at Company X that someone's looking at going to, is this a good thing or a bad thing? And done that for people to say, yeah, this company, you're not gonna fit well. Yep. And then a month later at this company you're talking to, it's all good. Go with my blessing. The two guys that left two and a half years ago both became CISOs and then decided after a while they didn't wanna do that, which is, Um, but trying to develop people for that next role, I think leads a lot to retention. We have a relatively small team, especially when I compare myself to the anthems of the world or lilies of the world. And so people are doing really deep and technical stuff early and they own stuff. So they have, they have a saying in how we do it. Um, So I think from a, from retention standpoint, those are the things we're trying to do from a staffing standpoint. We've had three interns now that are in place for the last two, at least one, but a couple of'em two years. And we keep those interns year round. So we don't just say, Hey, you're working in the summer and it's, Hey, you got five hours when you're during the school. Come do stuff, but we, we keep them, keep them on. All three of'em have finished their cybersecurity degree. One of them just finished a double major. One of them is getting his master's in cyber. So it's awesome. We, we have people that are actually doing stuff and we're actively, since I don't have the positions trying to go find homes for them in the Indianapolis area, and so it that's the bargain that we have with them is, we're gonna let you do work and we're going to, we're gonna use your skills and then we're going to either, we're gonna try and place you here. We're gonna, we're gonna try and move you out cuz that's what you need to do. Yeah. That's really
Aaron:cool. So definitely the investment on the people coming in and the investment on helping them out into the next step. One thing that we do a lot of here is try to create a culture that's, gra to the grindstone burnout, which is mm-hmm. One of many things that we're trying to be the opposite of in consulting the industry in consulting does have a bit of a reputation for that, work hard 60 hour weeks and then fold out to a corporate role. So kind from your side, what are some of the things that you have done or would recommend to others on creating the, a dynamic culture that people wanna stay? Yeah.
Leon:I don't know that I, it's not always knows the grindstone. One of the things that I tell people is I work seven days a week and, but then I have to caveat that with the place that I go for coffee on Saturday and Sunday mornings. Doesn't let, they took all the tables and chairs out, so I get my coffee, go to work for a couple hours, I check my, check, my security stuff, and I. And then do odds and odds for you know, a couple hours. But that's my choice. Yeah, that's I don't mandate that for people. So knowing that people do have a personal life, but you know, when, when the phone rings we need you to pick up. So having that bargain with people we don't try and raise the flag. But there's some things that I try and take that they, that people shouldn't have to do. So try and do some of that. Giving people the what they need to do their role and quite frankly, having the ability to look at some new and interesting technologies is. it is really helps people to want to grow. It's not just you're gonna do this thing for the rest of your life and so they're really not pigeonholed and they get exposed to a lot more. Yep. And in some cases that's great. In some cases that's it's a lot to take in. Yeah. I
Cody:feel like the cyber nowadays, it's like it was 20 years ago when if you're an IT guy, you did it all, you did some coding, you did you may have done some networking. You may have done the AV in the conference room. Yep. It now got more diversified. Now cyber before five years ago was pretty single thread. Now it's like you're in cyber on, on the, on the tool side, you're cyber on the process side. So I feel like it's evolving
Leon:now to be more it is, although I don't think you ever, ever, ever get away from being the AV guy, But yeah there's, there's more diversity Yep. Of, of what to do, how to do it. And I think going back to one of the staffing things is looking for people that aren't in that classic path. Looking for people in you know, in, in odd spots. Yep. Yep.
Aaron:On my, the corporate side of my life, the, some of the best people that we brought into security came from other business units and I think the differentiator was the motivational fit. There were some that didn't work as well as others. Yep. But those that you could see had the spark and the passion went on. I mean, They're still in the field even though they came from finance or from sales and marketing.
Leon:So that was really cool to watch. One of the best pen testers that I've met, is a CPA by training. And the reason he's so good is he knows where the money is. He knows how to ah, he knows what to look for. Yeah. And we actually have one of our guys that grew up on the business side he was, he ended up working in our area doing customer compliance type things. Yep. Went on his own, got a cssp, and he's doing AppSec for us. I It's phenomenal. Yeah. It's, it's that kind of stuff. And it's those kind of stories that are you know, when you look back on your career, that's where you see the real joy out of managing. First week I became a manager, I asked my boss where do you find joy in managing? And, when he got done laughing at me, he said, the only thing that you will ever have that's beneficial is seeing the people that work for you succeed. Yep. Period. End of story. And if we can do that and look back on a hopefully long career and say, yeah, I've, I helped this many people go be better than they were. That's a win. Yep.
Aaron:I think it's good in fitting to end on that note and hope others that are listening early in their career, in management to to embrace that same approach. So Sure. Leon, thanks for coming on the show. We really enjoyed talking with you and uh, talk soon. Okay.