Elastic’s Darren LaCasse on Distributed Security Operations at Scale

The Story This time

The transition from technical security expert to effective people leader is way more challenging than it might sound. Darren LaCasse, Director of Threat Intelligence, Detection, & Response at Elastic, learned this lesson through a management mistake that almost cost him a team member and taught him the fundamental difference between managing work output and leading human beings. His journey from classified government security to distributed enterprise operations offers hard-won insights into building resilient security teams that can sustain month-long incident responses without burning out talented professionals.

Ben April sits down with Darren to explore how security leaders can maintain technical credibility while developing the people-first mindset required for modern distributed security operations. Darren shares his framework for global incident response that prioritizes sustainable team performance over heroic individual efforts, plus his approach to building trust across geographically distributed security teams through structured vulnerability and systematic information sharing practices.

Stories We’re Telling Today

• The evolution from technical expert to people-first leader, including the critical mindset shift from doing the work to enabling others to excel at the work.
• Sustainable incident response operations using follow-the-sun models that prevent burnout-induced decision failures during extended security breaches.
• Building and maintaining trust across distributed security teams through systematic information sharing and structured vulnerability in leadership.
• Hiring and screening methodologies for identifying trustworthy security professionals who can handle sensitive information appropriately.
• Balancing technical engagement with strategic leadership responsibilities without becoming a hands-on keyboard bottleneck during incidents.
• Threat landscape monitoring strategies using social media and industry networks to identify emerging threats before formal intelligence channels.
• Mental models for security decision-making using frameworks like the Eisenhower Matrix to prioritize high-impact, low-effort security initiatives.

Too busy; didn’t listen:

• Darren emphasizes that month-long security incidents require sustainable 8-hour workdays with natural handoffs rather than 16-hour shifts that lead to decision failures.
• His biggest leadership mistake involved nearly putting an employee on a performance improvement plan without understanding their personal challenges, teaching him that technical performance issues often stem from human factors.
• The “say-to-do ratio” serves as his foundational leadership metric, with personal integrity and reliability building the trust necessary for effective security team operations.
• Despite formal industry sharing groups like ISACs, threat intelligence collaboration remains limited, with organizations reluctant to share actionable intelligence even in trusted environments.
• The transition from technical expert to people leader requires actively stepping back from hands-on work while maintaining architectural thinking about systems and strategic technical engagement.

Skip to the Highlight of the Episode

12:33-13:19 “A lady by the name Deb Worrall took a chance on me and said, “Come work on our security team. I know you want to do that.” So I moved into the classified security space, and she not only took a chance on me, but gave me permission to change things and said, “Figure out how we can do all of this better. I don’t care if you get it wrong, but keep us moving in the direction of better.” So she gave me enough room to run and try things, to learn, to grow, and share that feedback. She said, “I want to get here.” She didn’t tell me how to get there. She let me figure out that path, and I think that was one of the most impactful things in my career to just see like, “Oh, someone trusts me, someone said, ‘I want to do this, you figure it out, you’re the technical person.’” And so I try to do the same thing now with my teams.”