The Colorado Office of Information Technology on Monday announced the hiring of Ray Yepes as the state’s new chief information security officer. Yepes, filling a vacancy left last year by the departure of Deborah Blyth, is moving to Colorado from Texas, where he’d served as CISO of the state’s Department of Family and Protective Services.
With the move, Yepes will go from overseeing network security for a single, 15,000-person agency in a heavily federated state to running cybersecurity policy for a consolidated state government with nearly 40,000 employees.
In an interview with StateScoop Friday, Yepes said he’s eager to join that kind of enterprise after five years with Texas.
“The centralization itself, that alone is a huge plus,” he said.
Blyth, who served as Colorado’s CISO for seven years, left state government last July for a position with the cybersecurity firm CrowdStrike. She led the response to a 2018 ransomware incident that crippled the Colorado Department of Transportation, which led to the first instance of a state government declaring an emergency over a cyberattack and writing a new disaster-response playbook that several other states have since mimicked.
Yepes, who said he was part of the out-of-state volunteer response to the 2018 incident, was hired as the result of a nationwide search that began following Blyth’s departure last year. (William Chumley, OIT’s chief customer officer, has been serving as interim CISO for the past eight months.)
“Ray has such an impressive depth of experience as a cybersecurity professional and executive,” Colorado Chief Information Officer Tony Neal-Graves said in a press release. “His ability to influence a sustainable security culture, foster change and develop people and relationships will enhance the protection of our state’s IT systems and data.”
Before the Texas family services agency, Yepes ran a cybersecurity consulting practice, advising several Fortune 500 companies, including Nissan, he said. He also served as CISO of Waste Management, the garbage-hauling giant.
One part of the job that Yepes said he’s particularly passionate about is ensuring compliance with security requirements, especially coming from an agency in Texas that he said had the “most difficult” requirements in certifying its data security.
“The more compliance you have to follow, the more secure you’re going to be,” he said. “I believe my approach is a totally proactive approach. I don’t want to be reactive. It’s good to know how to react, but you always want to be one step ahead.”
Yepes, who’s in the process of moving to the Colorado Springs area, told StateScoop he’s excited to work for the state because of the strides it’s made on cybersecurity.
“Colorado is ahead of the game,” he said. “Tony and his team: Holy macaroni. Their work is like nothing I’ve seen before.”
Yepes added that while his job will involve protecting networks used by tens of thousands of state workers, he’s mindful that that work impacts the public: “We forget this: We are public servants,” he said. “We’re worried about our data as state employees. We’re worried about counties and cities. But we need to be worried about the people we’re serving. We’re protecting everybody.”