Rising Tides – A conversation with Lesley Carhart, Technical Director of Incident Response at Dragos

One of the greatest realities of our current timeline is division. Division over geopolitical dynamics, division over human and civil rights, division over how to address complex security issues—and so much more. In the latest edition of “Rising Tides” I spoke with Lesley Carhart, Technical Director of Incident Response, Dragos about all three of these topics, as well as the importance of mentorship and an almost call-to-action for other senior leaders to step up into more formal and organized mentorship roles.

Lesley’s takes are hot but also realistic and attainable. For example, if we can come together to bridge the critical complexities that often put enterprise security and operational technology (OT) at odds, something Lesley is extremely passionate about, we can accelerate security progress.

As a very open nonbinary and trans person, Lesley says, that while our cybersecurity industry is “much better than a lot of IT fields in support for neurodiverse, LGBTQIA+, and other non-traditional members of the workforce,” there is still sometimes threatening levels of backlash, especially for the queer community.

And, of course, we had to touch on the potential need for increased cybersecurity diligence overall with the new U.S. presidential administration, especially from an industrial controls systems perspective, and their overall “magic genie” wish for more critical thinking skills about biases, gauging cause and effect, identifying disinformation, and threat modeling.

Read the interview for more on all of this, as well as why people are drawn to authenticity more than anything, and where to find them on the social web.

Lesley Carhart, Technical Director of Incident Response at Dragos

Q. You’ve been a strong voice in our industry for some time. Please tell me how your career evolved from the military and throughout your time at Dragos, and the role you play there now.

A. I’ve always cared deeply about two things – making the world better than I came into it, and understanding how the world works. I had a rather stereotypical path into cybersecurity (as a person who started programming at a very young age), but I’ve always tended towards the circuits and wires of computers and networks that make the world go, not code or abstract concepts. I did this as an aircraft electronics technician in the Air Force, as a network engineering major, and eventually as a cybersecurity person focusing on industrial technology.

Q. Our industry is quite transient and a lot of people don’t stick to one place for long, yet you’ve been with Dragos for seven years. What is it that drives you to stay?

Q. What was the transition like from public sector to private sector vendor cybersecurity?

A. Oh, I have worked in every type and size of organization, public and private over the years. I mentor a lot of young people and I have frequent conversations about the upsides and downsides of choosing government versus a startup, versus a corporation, and so forth. You can do really interesting work and training with the government, and there’s a lot of career and work-life stability in that type of role. However, in startups and small companies you can have a lot faster and more substantial impact on the direction an organization goes in. You can also be less siloed, and make more immediate cash. There are always trade offs. I encourage every young cybersecurity person to explore all of those options.

Q. I know you’ve been asked this one million times at least, but many people know you as “hacks4pancakes.” I would personally do most anything for a pancake – is there a broader story to this name or do you simply love pancakes?

A. It’s self-deprecating humor. It’s like “moves for pizzas”. I do a lot of volunteer work in the community. I get paid in food a lot. Don’t ask me for advice on getting rich. At least not rich in money.

Q. When we talked about doing this interview, you said that repairing relationships between cybersecurity and operational teams is critical, and nontrivial. How do you personally approach this gap and why are you especially passionate about it?

A. The unfortunate reality of OT cybersecurity today is that enterprise cybersecurity as a practice has soured relationships over a decade through lack of understanding of needs, process safety, and realities of cybersecurity capabilities in process environments. Audits and demands to immediately patch systems without consideration for human life and safety have absolutely caused relationship damage, and there’s now a dangerous level of shadow IT and poor communication between the teams in a lot of organizations. This bleeds into every capability, from architecture, to detection, to incident response, with huge implications. You can’t respond to an emergency if people refuse to speak to one another.

I think this is really crucial to understand and address in every organization because it not only is essential to building a functional program, but it teaches enterprise cybersecurity people the profound difference in cybersecurity priorities and methods in OT. Start with shadowing and listening to your OT staff. Understand what really matters – real life consequences like process damage or injury. Start to understand the real restrictions and risk measures that limit modern security tooling. Then you can work on cybersecurity moving forward, together. Food helps! Bring doughnuts.

Q. Whether a security issue or a non-nefarious technical issue, what have you seen as the biggest operational security risk that has been created in the last year? Do you also feel it was properly addressed, and if not, how could we have done better?

A. Lack of basic realistic planning and testing of plans for incident response. A lot of organizations have some kind of IT incident response plan, or they’ve copied a template from the internet for audit purposes for OT, but the plan lacks adequate tailoring for the real OT environment and testing to assure it will actually work. When seconds count, these organizations are scrambling for days to find basic data on their network architecture or methods to restore OT device backups.

Incidents are only getting worse and more common in OT as adversaries realize they’re often a soft target with visible real life impacts. Start somewhere. Make a plan for how you will respond to OT-specific incidents and test that plan in tabletops and drills to see if it actually works. It is not a copy-paste from Enterprise.

Q: Cybersecurity threats in operational environments have been an important focus for some time, and there are concerns that come with the administration change the U.S. is going to have to up our diligence significantly to protect human survival that relies on operational tech. Do you agree with this hot take, or have another perspective entirely?

Q. The same statement applies when it comes to human rights and socioeconomic issues, especially those who fall into under-represented groups. If you agree, what do you think we can do as a cybersecurity industry or community to help? If not, what do you think is the better mindset to have?

Q. Early last year you did a talk called “We’re All Scared, Too: 10 Years of Lessons from Cybersecurity Mentorship” for Wild West Hackin’ Fest. What was your biggest takeaway for that audience on the importance of mentorship?

A. I do a lot of career mentorship through clinics and office hours, and the thing that’s really struck me is how many people have the exact same problems, but no idea they aren’t totally alone in them. In my talk, I spoke about some things I see weekly, like difficulty in choosing a cybersecurity niche, problems with toxic workplaces, the pressure to move to management from a technical role, and even burnout. They need a stranger like me to tell them it’s normal and okay, and help them tackle those problems. Sadly, I’m usually booked out for months because of the massive demand for mentorship. We need more senior people stepping up and taking on formal and organized mentorship roles. People need an outside ear and unbiased perspective.

Q. I found a tweet from more than two years ago from you that said: “Hi, just a gentle nudge that it is pride month, and I’m very genuinely non-binary / trans, and that is a meaningful thing to me – not a fad. I very much admire you all’s support of women, who I share many experiences with and support too, but code switching is exhausting.” Do you feel as if, at least within our industry, less “code switching” is necessary and there is more outward, dedicated support for non-binary and/or trans people?

A. In my personal experience, cybersecurity is much better than a lot of IT fields in support for neurodiverse, LGBTQIA+, and other non-traditional members of the workforce. We have a robust community and good social support groups. That said, queer people today are facing the same cultural backlash in IT as anywhere else in society. I work in a customer-facing role. I’m active in the media and as a professional speaker. Sometimes I have to appear unremarkable and inoffensive to the audience to get the job done, and it sucks. I don’t know what the right answer is. I’ll continue to do everything I can to make everyone welcome in cybersecurity.

Editor’s Note: Since this interview was conducted, Lesley announced a move to Melbourne, Australia, and will continue acting as Technical Director of Incident Response for Dragos.

Q. Speaking of “former Twitter,” have you fully made the move to BlueSky like so many others? In other words, where can people best find you now?

A. I left Twitter two years ago for ethical reasons and I have not looked back. I’m active on LinkedIn, Mastodon (Jerry Bell’s infosec.exchange instance), Bluesky, Threads, and Instagram. I also have a YouTube and a blog. A plethora of ways to find me and keep in touch, should the reader wish to. I love making new pals!

Q.  We’ve covered a lot of topics so far, from your career to the state of the world to the issues affecting humans. What worries you the most that we need to address, either in cyber or outside of it?

A. What a huge question. If I had just one magical genie wish, I would improve critical thinking skills in humans around the world. That includes introspection about biases, gauging cause and effect, identifying disinformation, and threat modeling. Lack of good critical thinking skills are negatively impacting human society as a whole, and also impacting cybersecurity directly. We are prioritizing the wrong things, and jumping ahead of the basics. We aren’t thinking adequately as a society about the long-term results of our choices. In reality, the solution comes back to prioritizing better foundational education for the next generation, and continuing that education through life.

Q.  On the lighter side, what is something you’ve seen in our industry over the last year that may or may not be serious, but made you laugh, that we can all learn from?

A. I get a chuckle every time somebody (almost daily) tells me they can’t decide what job they want to do in cybersecurity. Without fail, they all think they’re the only hacker interested in everything. Yes, we’re all interested in absolutely everything. Interest is not your daily work, though. Find the things you don’t want to do, and narrow down the choices. People at DEF CON only talk about their cool days. Learn about the other ninety percent of their careers and what they dislike about their jobs. Rule out things like travel, report writing, long periods of hyperfocus, or working with customers that you may not enjoy – or gravitate towards those roles if you enjoy them!

Q.  What is the best career advice that you’ve ever been given?

A. It wasn’t advice given verbally. I had the most amazing mentor—my first real cybersecurity mentor—early in my career. He was the sweetest, humblest, most hard-working person I may have ever known in the industry. I aspire to be half the person he was. He was like an extra parent in a big company where people could be easily lost, and he worked insane hours – sometimes arriving at 6AM and leaving at 7PM to shield us from bureaucracy. He would bring us food, happy meal toys, and dance in the hallway if we were down. We played video games on the weekends.

He passed away, suddenly, from an undiagnosed illness. He was a few years from retirement and had worked at the company for over 30 years. He had a wife who loved him who he barely saw during the week.

I learned so much from him, and he made my working life infinitely better. At the same time, he was replaced by the company in a few weeks, and we had to appeal to get a small conference room named after him. I hope people in the future are still told who he was.

Your work is not your family. You can love it, be passionate about it, and care about your employees. However, you are your one best advocate, and you should not go above and beyond perpetually to account for gaps in staffing or resources. You need to have your own life, outside work.

Q.  What makes you the most humbled or proud?

A. Every time a person I have mentored or taught reaches out months or years later to tell me they’ve been successful, and remembers how I helped them in a small way. It makes it worth it. Thank you.

Q.  Finally, there are a lot of people who look up to you, who want to get to the level of impact in the world that you have had. What should they think about when they feel like they’ve hit a wall?

A. Be true to yourself and find what you want out of life (and why). Find your people and your own things. Everybody else has their own agenda and biases when they make plans for you. Only you can know which of the million lives on this planet is right for you. You have more options than you know, even if some of them are scary or uncomfortable. The world is big.

Related: Wendy Nather on Resilience, Leadership, and Building a Stronger Cybersecurity Community

Related: Alyssa Miller on ‘Do Better, be Better’ and ‘See Past the Technology’ to Advance Cybersecurity

Related:  Christien “DilDog” Rioux on Building Privacy and What Makes Hackers Unique