Endpoint
Trusted, hardened, continuously verified devices as the first condition of access to anything sensitive.
— Enterprise Security · Risk · Architecture
Angel De Leon
Enterprise Security Leader
Building scalable security programs that reduce risk, improve execution, and enable the business.
01 Approach
Security is a strategy and assurance discipline — not a queue.
With a foundation built across enterprise IT, I lead security as a proactive architecture and control function: defining what good looks like, proving where the real risk actually sits, and building controls that scale with the business rather than slow it down.
The aim is durable risk reduction the organization can feel — not ticket volume. That means making the secure path the default path, automating the repeatable, and continuously validating that the controls in place are doing what they're meant to do.
02 Operating Model
How I think about the work.
A point of view shaped over years of building enterprise security programs — the principles I return to when the path isn't obvious.
01
Threat-led, not request-led
Start from what an attacker can actually do and whether the controls meant to stop them truly hold — then close the gaps that carry material risk. The agenda is set by real threats, not by the inbox.
02
Proof over assumption
"We have a control" is a hypothesis until it's evidenced, validated, and watched for drift. I move teams from assuming controls work to proving they do — and catching it early when they quietly stop.
03
Secure by default
The secure path should be the easiest path. Repeated decisions become standards, paved patterns, and automation — so the business moves quickly without re-litigating risk every time.
04
Own the standard, partner to operate
I define the control strategy, prove the gap, and set the bar — then hand off to operate. Scaling through architecture and governance, rather than becoming the bottleneck for everything.
03 Domains
Where I operate.
An enterprise security architecture organized around the control planes that matter — from the endpoint to the agent.
Connectivity
Access built on explicit, validated trust and least privilege — not on assumptions about the network you're on.
Identity
Strong authentication, governed authorization, and continuous validation — for people, services, and agents alike.
Data
Sensitive data protected consistently across endpoints, SaaS, workflows, and third parties — wherever it flows.
Observability
Proving controls actually hold — with evidence, continuous validation, and early detection of drift across the estate.
04 Impact
Outcomes over activity.
01
Designed and scaled security intake and automation so review quality rose while manual friction fell.
02
Advanced enterprise controls across endpoint, identity, SaaS, data, and third-party risk.
03
Partnered across IT, Legal, Privacy, Procurement, and Engineering to make security a condition of execution — not a tax on it.
04
Oriented the program around measurable risk reduction, control clarity, and operational sustainability.
05 Principles
The shorthand.
i.Security should be clear, scalable, and defensible.
ii.Automate where the risk is understood; reserve judgment for where it isn't.
iii.Governance should enable speed while protecting the business.
iv.Measure durable risk reduction — not ticket volume.