CISO's guide to Embracing Risk in Business

View Show Notes and Transcript

What is it like to build a successful business  based on risk? In this episode Ashish spoke to Fredrick Lee, CISO at Reddit. FLee shared his deep insights into the essential role of risk in driving business success and innovation. With a career that spans across notable tech giants like Square (now Block), Twilio, and Gusto, Lee brings a wealth of experience in both hardware and software security landscapes. Without embracing risk, businesses risk stagnation in a world where competitors are always ready to innovate. From discussing the cost-effective strategies in cybersecurity to exploring the formation and goals of Reddit's S.P.A.C.E team (Security, Privacy, Automation, Compliance, and Engineering), this episode gets into the challenges and opportunities presented by the modern tech environment

Questions asked:
00:00 Introduction|
04:42 A bit about Fredrick Lee |
07:42 How cloud changed cybersecurity?
11:37 Threat Landscape in Software vs Hardware
15:12 Threat Landscape in B2B vs B2C
17:27 Navigating the First Steps as a New Company's CISO
20:26 The role of compliance in Cybersecurity
24:12 The role of privacy in Cybersecurity
26:11 The role of AI in cybersecurity
30:36 A bit about AI Cybersecurity Podcast
31:09 What it means to be a CISO?
34:34 Building CISO Roadmaps: Balancing Short-Term and Long-Term Goals
36:49 Where to start with CISO Roadmap?
39:02 What keeps Fredrick motivated about his CISO role?
40:36 Whats next for current CISOs?
42:50 The Fun Questions

Fredrick Lee: [00:00:00] Businesses require risk. If you are not doing something risky at a business, you probably don't have a business that's going to be successful because it means that somebody else has already done it, right? And there's tons of people actually competitors, or it's commoditized, et cetera. Risk is where you find opportunity.

Ashish Rajan: I don't have to have this virtual machine running on my own local laptop, have a massive RAM and massive hard disk. And so that I can store the virtual images that was so big in size.

Fredrick Lee: The cost aspect of it, right? So if you're going out and saying you're getting a VMware license, okay, that's expensive.

Obviously I'm cheap. So it's more of a virtual box kid. Yeah even so.

Ashish Rajan: I'm just talking because we have enterprise. That's what I'm saying. But I was definitely virtual box as well. I wasn't going, but the images were so big,, like one image would be 5GB, 6GB, sometimes 20GB. Yep. That makes me think I should look at if VirtualBox still does exist as a company.

It'd be really interesting. Now with cloud almost 12 years in the making.

Have you heard of the SPACE team? I know this is a Cloud Security podcast, it's not a SPACE podcast, but it would make sense when I explain what SPACE is. SPACE stands for S [00:01:00] P A C E, which is security, privacy, automation, compliance, and engineering.

Yes, that is the name of the team at Reddit. And we were lucky enough to have Fredrick Lee of Flee, who is the CISO of Reddit, come and talk about how they're building that SPACE team in their organization. They're revamping it as they move into 2024. Some of the, obviously Frederick has been in the industry for a long time.

So we spoke about the different challenges he's seen as the landscape of hardware run industry like Square where he's worked in the past or Block as it's called these days. And also Twilio and Gusto that the other two companies he's worked for, which is more software based. How does the threat landscape differ?

What are they saying in terms of planning for roadmaps in terms of where Reddit sees itself in the future and the security team at Reddit where they see in the future as well. We spoke about some of the challenges as a CISO in general that people should look out for in 2024 and broader. context of AI ML, specifically around privacy.

Cause I definitely wanted to call out that in most of the [00:02:00] conversation we had at re:Invent and some of the other conferences over the last few months, one thing that kept coming up was that data security and API security is going to be top priority for a lot of leaders moving forward in 2024.

So maybe a lot of you listening or watching this would already know this, but for people who have not, I would definitely say those two things, definitely keep that in your radar because you will definitely find yourself having a lot of conversation about privacy, data, security as well as compliance in data.

And there's a lot more that comes in with the AI LLM, especially if you're using an LLM model in your organization, which by the way, if you are interested in learning more about cybersecurity for AI, we also run a podcast called AI cybersecurity podcast, which you should be able to search for on YouTube and the audio platform as always as well.

But I just want to say thank you to Fredrick and the team at Reddit for letting us do this interview. I really enjoyed this and had a great conversation. If you know someone who's planning to become a CISO, of an organization like a B2C or a B2B, or even a company like [00:03:00] Reddit, what does that look like?

What are some of the challenges they face? This is a great episode for them. And maybe if that's their plan for 24th, if they want to become a CISO, I would definitely share this with them as well. As always, if you're here for the second or third time, I would really appreciate if you can drop us a review rating on the podcast platforms or drop us a comment over here, if you're watching on YouTube.

So that you can at least know that you enjoy the episode or like them and we should keep bringing more people like this. And that is a signal for us to know that, yes, we should bring more people like Fredrick and others who can come and share the experience and talk more about what the space looks like at that level.

And I love the fact that I think the way I describe it as more like he's protecting the front door of the internet and a lot of people who have probably been in the industry for a long time, we even spoke about virtual box. For people who may remember, I'm now going to Google if virtual box still does exist as a company.

But it definitely is very interesting to talk to folks who have had a lot of experience in this field and talk about what they see as upcoming and what they have seen as challenges in different industries like hardware, software, and what does security really mean by allowing the company to take risk is what the job of [00:04:00] the, it's not just to protect against risk is how do I enable an organization to take risks so that they can jump on the next opportunity, which brings the most business value.

On that note, I would let you enjoy the episode and I will see you in the next episode of Cloud Security Podcast. Enjoy and I'll talk to you soon. Peace.

Hey, what's up everyone? Welcome to another episode of Cloud Security Podcast. Today we have Fredrick Lee.

Fredrick Lee: Hey man, welcome to the show. Yeah. Yeah. It is great to be here and please feel free to call me Flee.

I consider us friends and all my friends call me Flee.

Ashish Rajan: Awesome. All right. I'll call you Flee. As long as you don't Flee away from the conversation. I will

Fredrick Lee: yeah, I'm security. We flee towards things, man. We run towards the fire.

Ashish Rajan: That's awesome. So Flee, could you please tell something to the audience as well, for people who may not have heard of you before?

Fredrick Lee: Yeah. So my government name is Fredrick Lee. As you already mentioned, most people call me Flee. I am currently the CISO of Reddit, which is a social media platform where we help build communities and bring humans together for [00:05:00] a real, genuine conversation.

Ashish Rajan: And I guess obviously you've had some years in cyber security, but what was like your kickoff point for your career in cyber security and was there anything specific that helped you prepare for this role?

Fredrick Lee: What helped me prepare for this role may have been my youth. So I was one of those dirty hackers and probably more than anything, just you know, yet another script kitty back when I was in middle school and high school, et cetera. I am a little bit older than you Ashish as you can see as somebody who grew up and came to the internet, probably in you might actually consider the early days, meaning the late eighties, early nineties, et cetera, they actually weren't jobs in cybersecurity outside of working for the government.

And I'm not really the kind of person that should be working for a nation state. How I actually got into security though, was somewhat by accident, because I was one of those kids who was like, yeah, I always consider myself somewhat of a hacker and even more so a tinkerer or what I like to refer to as aggressive curiosity.

And so I did a bunch of. com [00:06:00] stuff in like the early. com days, you can, pets. com, that kind of stuff. And when the. com crash happened, Bank of America just went across the country and just started hiring all these. com refugees. So I ended up at Bank of America working on the authentication infrastructure, as well as the PKI.

And so I was just hired as just a developer, but while I was at B of A, I discovered an internal vulnerability and the internal vulnerability was actually pretty bad and I was pretty sure it's Hey, I'm probably going to get fired for this, but I should tell somebody, right? Yeah, of course.

And so when I told my boss and when it made it to the CISO, instead of Flee getting fired, Bank of America was like, Hey, we have somebody here that really wants to dig in and actually find some vulnerabilities and actually help us make the company better. And this is at a time when online banking was just getting started.

And so Bank of America, instead of firing me, decided to start an application security team. And at the time we were actually one of the first corporations and even more so one of [00:07:00] the first financial institutions to have a dedicated permanent application security team. And that's how I got into it because prior to that, I was happy just being a developer, writing code, tinkering, I'm more of a low level firmware kind of person. C, it's my preferred language. And so I was happy doing what I was already doing. And I just wanted to make sure that, hey, somebody else inside the bank should know that we have this pretty bad vulnerability.

And it was actually, hats off to Bank of America, because I was at a time when kids like me were just getting fired and, put in jail.

Ashish Rajan: Yeah. I am glad you didnt make it to jail, but I was going to also ask, it's fairly interesting also because you've jumped maybe into a lot of nuances there, which I would love to dig into as well.

Some of the trends come and go, . com boom was a thing. And then a few more things came in and then cloud came in as well. And being Cloud Security Podcast I think one product, and I think now, since you've seen a few trends, how would you define cloud security as a leader to these days?

Fredrick Lee: Oh, wow.

I have a horrible [00:08:00] answer for you. And the horrible answer is that cloud security actually didn't force us to do anything new. It did force us to realize what we actually should have been doing all the time. So you think about it, it's not, just because I had a data center at Bank of America, it didn't mean that data center was actually secure, at least not in the way that it should have been.

The great thing about cloud security is one, it actually forces you to actually think about all those attack vectors. You have to think about the entire infrastructure. It also forces you to think at scale in a way that maybe we didn't previously, but there are so many great things that actually came along with cloud security.

Or just clouds in general, I actually even had a talk at Twilio cause Twilio was the first hardcore cloud company I worked at. And I remember giving a talk at Twilio for other security people about how I learned to love the cloud and not be afraid. Cause this was actually somewhat still super early days when I was at Twilio, it was Netflix and Twilio with regards to AWS and people playing around in AWS security.

But you got so many great things because [00:09:00] now we're actually thinking about almost provable security, because you could actually turn a lot of the things we actually like to have previous with data centers, et cetera, just into code. And we could actually say Oh no, I can actually go back and look at this config and I can prove that, this VPC is secure at the time VPCs were new, or, like some of the things you're actually doing on the EC2 side, et cetera.

And so that's the reason why I say it didn't really change, but it did make obvious the things that we should have been doing. Like I said, the biggest change probably was on the positive with regards to accessibility and that ability to actually turn code into policy and vice versa, or rather policy into code.

And that's just been such a huge win for people that are in security space. I would say the other thing that made it about cloud security is that it provided an opportunity for more people to get into security. Because needed a data center to get started, right? And you didn't even need your own home lab, or maybe you actually had a bunch of VMs.

You could literally go and say, Hey, I'm going to register for a free tier at AWS. And with that free tier at AWS, I now [00:10:00] actually get to learn all these things, which is just amazing and phenomenal, which is, and I personally, that was probably one of the other big positive changes for security and the cloud in general. It's just that accessibility around it.

Ashish Rajan: Yeah, I think a hundred percent on the second point as well, that the bar to enter cybersecurity could be a bit more lower now, thanks to cloud security as well, because I remember there used to be like this whole thing around, Hey, buy VMware licenses, have your own virtual hosts and people trying to learn CCNA and all that as well.

And I'm not saying those concepts are not important. Those concepts are definitely important to know networking, but the fact that I don't have to have this virtual machine running on my own local laptop, have a massive RAM and massive hard disk. And so that I can store the virtual images that was so big in size.

Fredrick Lee: Oh yeah. The cost aspect of it. So if you're going out and saying you're getting a VMware license, okay. That's expensive. Im cheap so I was more of a virtual box kid

Ashish Rajan: We have enterprise as well but I was also a virtual box kid but the images were so big, so [00:11:00] 1 image would be 5GB, , sometimes 20GB

Fredrick Lee: Think about this, its not just about the actual computing capacity that you have. You also get into bandwidth concerns and as well, what does it mean from actually download this? I am fortunate to live in the Bay area.

So that means I have great internet and great internet providers around here. But if you're like maybe in the middle of nowhere or, you don't have all that access downloading five gig Linux ISOs is painful, whereas actually just spinning up an instance of AWS is cheap, easy, and quick.

And you get to experiment. You also get to fail faster in the cloud, which allows you to also learn faster.

Ashish Rajan: Actually, that makes me think I should look at if VirtualBox still does exist as a company. It'd be really interesting. Now with Cloud almost 12 years in the making, but you also touched on Twilio, and I think you did some work in Square as well.

Yep. I'm curious, having such a vast experience, do you find that the threat landscape between say how a CISO would operate in a hardware industry [00:12:00] versus a, now you're in a software industry. How different are the landscape in terms of the threats?

Fredrick Lee: Oh, yeah. Like hardware is fun and fascinating, but it is also a little nerve wracking because when you're dealing with hardware, your supply chain becomes much more important, but also much harder to control.

Right? And most of the time when you're building hardware, especially you're building hardware at scale, you're not using your own factories, right? And oftentimes you might even have a factory in a region of the world where the government might be potentially hostile or at least not friendly. You don't have some of the same controls and some of the same tools that you might normally have.

So you have to really think about what your, anchors of trust are going to be. How do you actually want to allow people access while also still not trusting them. So it ratchets up a lot of some of the fundamental things that you would normally want to have in a security program, but it definitely makes you double down on how you think about things around detection and response, and in [00:13:00] particular, like early detection signals and things like that.

And all the telemetry that you actually really want to have, because now you're actually dealing with hardware. You want to be able to say Hey, you know what, we have to actually put keys on these devices. I want to make sure that all my HSMs are actually secure and that there's actually tamper detection.

Things like that around these devices and also tempered detection in the actual hardware that you're building itself. Now, obviously the kind of hardware that we built that Square, I guess what is now known as Block, I'm still calling it Square though, and because that was somewhat sensitive and critical infrastructure itself, that definitely made some of our challenges a little bit more complex, but I would argue to say that a lot of other companies had some of those similar challenges, even if they maybe had a somewhat different profile, the other thing that is challenging, which actually being a CISO when you're dealing with hardware is hardware mistakes are much more expensive. So you really do have to nail some of that fundamental engineering around QA and testing, et cetera, because you can't bring hardware back after you shift it, right?

Obviously, you can actually do a bunch of things with firmware, [00:14:00] but even doing firmware updates is expensive because firmware relies upon the customer having to do some action, right? They have to be connected. They have to be online. That actually accept this update, et cetera. And so you get all of these things that you have to actually think about.

And you have to think about what does this mean in my ecosystem if somebody has old firmware, trying to connect to this service that is actually transfer sensitive data and trying to also figure out that customer support aspect of it as well. Because oftentimes you're building hardware, which has a lot of great security built into it, but you're giving that hardware to somebody that is not a security expert.

And so you have to make it what I like to call lovable security, meaning that all the security is actually is built in has to be super easy to understand and super easy for somebody to actually recover from when they actually make mistakes.

Ashish Rajan: Oh, cause also the only option they would have is they will call customer support.

They're not calling security. They call them customer support.

Fredrick Lee: Yeah, they're calling, which makes total sense, right? It's Oh Hey, I bought this thing. Maybe I bought it from Amazon. Maybe I bought it from Square's website. Maybe I even bought it from Best Buy, [00:15:00] but Oh, regardless, I need somebody else.

I'm talking to you. People's general inclination is to just call the person on the box or call the person that they bought it from. So you really have to make sure that the security is rock solid.

Ashish Rajan: Yeah, I think I also remember the fact that being a B2B, B2C, like I imagine because Square is obviously selling to like cafes and all these businesses.

So there's a whole B2B aspect there and Twilio and other companies, they're all B2C as well. So all of them have B2B and B2C element. I'm sure Reddit does as well in terms of the B2B and B2C leadership kind of space, where is there like, to what you said about hardware, supply chain has become super important.

Whereas software companies, which are focused on consumers or otherwise as well, software companies are more software first, like developer first kind of industries in terms of risk level itself. Is there a difference that you find between a B2B, B2C kind of a thing or what becomes more important in that context between the two?

Fredrick Lee: Yeah, I think on the B2C side, it actually does become different because you have to think of a much [00:16:00] broader user base. There aren't as many assumptions that you can make. So like when you're dealing with B2B, a business owner intrinsically is thinking a lot about risk and they have a lot of skin in the game with regards to running and operating their business, essentially their incentives and motivations to be secure are much higher. And it also means that they are willing to take on a higher shared security burden. Like they will think somebody said that my company would be better if I use 2FA, when I log into this product, Oh, so business owner is going to do that. Even if there's actually friction involved, whereas in the B2C side, things like MFA adoption can be a little bit more difficult 'cause people are actually thinking about convenience and things like that a little bit more. And so it does change your attack landscape and things like, think about how your normal consumer might be managing their passwords, et cetera. That also makes it a little bit more difficult.

Whereas I said like on a business side with B2B, there's just a heightened sense of [00:17:00] wanting to protect your own business. So business owners are generally much more diligent there. The other side of that though is on the B2B side. They have much higher expectations. They want to see things like a SOC 2 certification or ISO 27, 001 certification, your consumers may not have that same education.

And so they don't have that same level of demand and they may not always be as knowledgeable about what they should be asking from their supplier, from a security standpoint.

Ashish Rajan: I'm not even going to go into the whole hardware with the certificate, attached to the whole pin to the device and stuff as well.

That definitely gets a bit more trickier. Okay. Now I understand the difference between B2B and B2C, but I also understand the challenges because I can't imagine telling a shopkeeper or a cafe owner doing MFA. That would be like, why the hell? I just want Ashish to come and pay for his coffee and move on with life and not do a 2FA in front of him.

So I'm also curious in terms of it's been five months since you joined Reddit. How has your priorities shifted in the last few months of joining Reddit?

Fredrick Lee: Yeah. So when I joined Reddit, [00:18:00] probably one of my bigger priorities was how we're actually thinking about security here at Reddit, security and privacy in particular.

And previously, our teams were a little bit dispersed. And so one of the first things I want to do, actually, I wanted to bring back all of the, security lions. I wanted to reform Voltron. And in fact, one of the first things we did was actually, bring the team all back together.

All the people actually thinking about security, privacy, compliance. And we decided that we actually wanted to just have a rebrand. Essentially actually relaunch what security meant at Reddit. And in fact, we don't even refer to ourselves as security anymore. We actually refer to ourselves as SPACE , which stands for security, privacy and compliance engineering.

And part of that actually, we want to have a really big focus. One on the idea that, no, this is actually a engineering organization. We are building the security and the security improvements that people wanted to see. We are active participants in building the infrastructure and the experience at Reddit.

The other thing is that [00:19:00] we wanted to defang some of the, associations that people might have when they think of security or when they think of privacy or they think of compliance. Normally people might think of those as being like no functions or people that are gates, etc. Nobody thinks of a space cadet.

As being somebody that is trying to slow you down, everybody knows that anybody interested in space is interested in pushing and pushing, accelerating boundaries actually essentially escaping the gravity of whatever that key in place and to also build. Things that are actually going to take us into the future.

So you think about what the space program is actually brought to us humans in general, now we have Tang and we have, automatic doors, et cetera, but it was really to actually help people understand that this really is about a building organization and a organization that is going to build safety and human experiences into the product itself to actually help us go. Obviously at Reddit, we always want to talk about things going to the moon. But we actually want to go further than just the moon here in [00:20:00] space. So that's actually probably one of my big focuses right now is actually the reshaping and the retooling of that culture here at Reddit for our space program to be a lot more prominent and to be a much stronger enabling function and an accelerating function as opposed to maybe your more traditional kind of Hey, we have a bunch of spreadsheets and checkboxes and we're going to tell you whether or not you can or can't ship. Space. Cadets like to ship. That's how we actually get in the outer space.

Ashish Rajan: I love the whole rocket analogy as well. So how are we going to be putting it in a rocket and shipping it? Yes, it totally works with the engineering world as well. Ship it comes in. I also probably would also ask in terms of the privacy and compliance, we have a largely a CISO technical kind of audience as well, and a lot of people roll their eyes when they see privacy and compliance. I think it's super important and especially in the context of the scale and if I can ask you for a brief, how would you define privacy and compliance in this context for the space you're in, not literally the SPACE you're in, but no pun [00:21:00] intended I'm going to be like, no pun intended with space, but how do you define privacy and compliance when you look at it from a Reddit perspective?

Fredrick Lee: Yeah. So privacy is all about making sure that we honor our Redditors preferences when it comes to how their data is shared, right? We are a data custodian, not a data owner. And so when you think about privacy, it's really about having your own internal Lorax is actually speaking for the users to saying Hey, no, this is what a human actually wants.

And this is what a human deserves. And in particular, we know that the more that we can actually protect privacy at Reddit, the better it is for Redditors because people are then with privacy you have freedom to actually truly express yourself, right? You have freedom to actually explore who you are.

You're actually have freedom to actually engage in conversations that previously you may have been afraid of. Compliance is actually one of my more exciting topics because to me, compliance is all about telling the story of what your security [00:22:00] program is actually doing right?

And if your security program is doing well, then compliance almost comes by default. Now, compliance is also great as like an internal coach for somebody who might, think about somebody who wants to run a marathon, right? If you want to run a marathon, if you never ran one before, you actually want to work with somebody who can actually say, Hey, this is what your pace is.

Hey, this is, you know what your splits are. Okay. Oh, Hey, you started from the couch. Now we can actually run a 5k. Oh Hey, I'm going to give you something else. You can actually now run a 10 K compliance also helps lead companies and helps lead them to actually be the things that you want to do and helps us hold ourselves accountable, right?

I'm not going to lie. That compliance is also a great business enabler, right? Because when you can actually tell the story of your security program, it makes it easier for other people to trust you. And when they trust you, they can actually do business with you and even more so they can actually do more business and maybe things that they previously were hesitant to share with you.

They're now more [00:23:00] comfortable to share with you. But, I think a lot of people, when they think of compliance, they just think of auditors and they think, Oh, Hey, this is somebody actually is here to get me in trouble or whatever. It's no, this is actually somebody here to actually help you improve so you can actually get better.

And that's where that. More of that kind of like coach and trainer analogy comes into play.

Ashish Rajan: And would you say, is it different to how you would have approached security in other companies that you've worked in? Like the approach you're using with privacy and security in Reddit?

Fredrick Lee: It's not different from what I did at Gusto or at Square.

It is different than where I've been at other companies. And it's different because privacy is now an actual industry and not saying that privacy previously wasn't, but it was one of those things who actually just let fall on the wayside. It was like an afterthought. And we thought that, Oh, your security kids, your dirty hackers, et cetera.

The kids that went to Defcon, maybe the kids that used to work for, Alex Stamos, and these are all great people, but we don't always think about privacy in the same way that some of our privacy experts do. And our privacy experts often think more holistically about that entire,[00:24:00] human journey, as opposed to sometimes what we normally fall back onto is, maybe just like your generic security nerds, where we're thinking more about like systems and, networks, et cetera, as opposed to that human experience.

Ashish Rajan: Actually, that's interesting. Is there an example? Because maybe I'm guilty of this as well. I always think of privacy as the fact that the systems where my data is stored is kept secure. That's like the layman definition from a technical person. Yeah. What's an example for something like this so people can actually get to a bit more deeper level for what it actually means.

Cause I'm clearly, it's to what you said. It's an industry itself.

Fredrick Lee: Yeah. And the reason why it's flipped, and I love what you said Hey, how you think about it's Hey, is my data secure? Part of that's okay. Secure from who? The other is, even though your data is secure, are people treating the data in the way you would like to have it treated?

And that's actually one of those big differences when we talk about actually security versus privacy. Security is all about hey, we have data. We are making sure that, certain people don't have access to that data, but It doesn't maybe dive as [00:25:00] much into how the data itself is being utilized.

Privacy also adds that, and that's actually a really important aspect. And an analogy I would give is one is actually super common. Hey, you have a cell phone, your cell phone, you probably have calls. You probably have text messages. You probably have some friends that you hang out with at the pub and maybe y'all have some inside jokes.

Do you want some random person at T Mobile or orange or whatever, actually reading through those text messages? No, those text messages are secure. They're actually stored, in T Mobile or Orange's infrastructure and all those proper protections. They're there, but privacy actually comes in.

It's okay, now that T Mobile has my SMS messages. Talking about whatever random bet I have had with my pub mates. Now we actually get to talk about whether or not T Mobile gets to look at that. Now we get to talk about whether or not T Mobile gets to share that with an advertiser. Now we get to talk about whether or not T Mobile gets to share that with a nation state of some form.

And that's where the privacy comes in. And it's making sure that there's somebody inside of that organization advocating for the [00:26:00] user and advocating about how data should be treated on behalf of the user, as opposed to people that are focused more about how the data should be leveraged and utilized by the business.

Ashish Rajan: I think this is probably an important conversation also because of the popularity of AI ML as well, where data is probably the number one thing in business. Like so many people we spoke to at AWS re:Invent, a lot of CISOs mentioned that they have now got data security as well as API security as an item in their budget for next year, or the planning that they're doing for next year.

And data probably would continue to play a quite an important role now that with privacy also to what he said, I feel it's very much linked to that as well where, what are people or what a company is going to do with the data that we have provided them? Is there an AI ML on it to improve service or maybe otherwise?

Have you seen the cybersecurity industry kind of change with the popularity of AI ML?

Fredrick Lee: I have seen it change and there's some very interesting work and for your listeners and also for you, you should totally get Caleb Sima on here. I think he's actually been on here before. He's doing some great and [00:27:00] interesting work with A. I. In particular, some of the stuff actually was just announced that the Cloud Security Alliance is also doing from an A. I. standpoint, most of the tech is focused on protection, right? And there's actually a lot of interesting and great stuff going on there. I think the more exciting thing happening for security and A i. though, is utilization. And some of the things that, in particular, LLMs are actually providing for us, and some of the things that is allowing us to essentially level the playing field on certain things, right? I'm not the world's biggest Splunk fan, and I don't think anybody out there would ever actually accuse me of that, but you can now have people that may have never actually used Splunk that can use an LLM this is the data I'm looking for. I don't know to actually write this query in Splunk. So AI write this query for me, because I know what I'm looking for. And that's going to be a huge thing for the security industry. Cause it means we can actually get more curious minds into some of these problems and actually investigate.

I am hopeful and optimistic that AI [00:28:00] is actually gonna allow us to bring more people into security as opposed to less because now we can actually have more people asking interesting questions without the need to actually go back and learn a bunch of, foundational things that while relevant and fun at the time may not be as relevant for somebody that has a specific need objective outside of just learning, right? If your objective is to say Hey, I want to see, AI machine, please tell me what are all the users associated with this IP address. Now you can totally actually do that as a query in Splunk or Big Query or, Chronicle or Panther. For those that are actually out there on the Panther platform, you can do that on those platforms, but it also requires you actually learn these things.

Whereas I can actually have even somebody who might even be a new grad or even somebody maybe not even come from a university background from educational standpoint. They would still have the knowledge to say, Hey, I want to ask this question. And being able to actually have that ease of use is just going to be game changing for us.

And we're already seeing tons and tons of people actually hopping into that.

Ashish Rajan: [00:29:00] I love it. Cause I think the moment you mentioned it, the one example that came to my mind was these days, whenever a SOC analyst or someone who's in the SOC team sees an IP address being a threat, they have to understand the context of what the hell is an IP address in the first place.

Yes. But then which system, Oh, it's a Windows system. Linux system. There's so many layers of knowledge they have to go through to even triage to the point of now I'm ready to investigate and know whether this is a investigation that I should raise an alert on, or should I just go with the false positive.

But someone who's coming from, and this is maybe where diversity could come into as well. Someone from another field, completely different to cybersecurity, come in and go, Hey, go get some alert for IP address. Is this something I should look at? And the AI machine goes and does that thing and goes, no, actually, you know what?

It's a false positive. So you move on with your life. That will be amazing.

Fredrick Lee: No, it will be amazing. And even for the people that consider themselves like nerdy or et cetera, AI is bringing to the forefront, some technologies that we in security should have been paying attention to anyway, right? [00:30:00] For the people that actually have dove in deep on the LLM side.

A lot of them are actually super excited about all these great vector databases that are actually being tossed out there. We V8, et cetera. And those are awesome because we are now introducing some cybersecurity professionals into things like, Hey, this is a good way to actually do anomaly detection, right?

Hey, we have a vector database and you're like, putting in all this telemetry, some of those anomalous instances are very obvious in a way that it wasn't for us previously. And so just giving that accessibility is now even more leveling the playing field and giving some of these small security teams oversized large security team skill sets.

Ashish Rajan: I agree. And I think just on the Caleb Sima thing as well, I'm going to plug you. So him and I are running another podcast called AI Cybersecurity Podcast, because we realized there's actually not enough conversations of cybersecurity and because he's the AI safety chairperson for CSA. And so him and I started that AI Cybersecurity Podcast, but I think a hundred percent Caleb is doing some really interesting work and I'll definitely encourage the listeners and viewers [00:31:00] to check out AI Cybersecurity Podcast I think we'll, we're definitely trying to, because there's a lot of confusion in the whole AI ML as to an LLM, what the hell is LLM and all of that as well. So this may be a good quick point to bring up in terms of becoming a CISO. How does the remit kind of change from being an individual contributor or a team manager now to a CISO?

Because I imagine a lot of people would hear, Oh, so Flee is a CISO of Reddit. And in terms of the remit changes from overseeing a cybersecurity to an entire organization. How has that kind of changed? In what way has that kind of evolved for you?

Fredrick Lee: Yeah, some of the things that definitely changes in, when you move from an IC up through the leadership ranks, et cetera, is scope of your impact and also scope about what you truly can care about.

I run a kube cluster at home much to my wife's disappointment

Ashish Rajan: Is it a self hosted one or one of those managed ones.

Fredrick Lee: Oh, self hosted, dude I'm, oh my God. Okay. I'm old. I'm old school. I got a horrible rack. That's incredibly embarrassing. It is way oversized for my personal needs.

No [00:32:00] wonder your wife is upset about it. .

But it's one of those things though, as a CISO I'm not supposed to be in the weeds, and I have to actually think at a much higher level so I can have opinions about Kubernetes right, personally, but really, my opinion should be mostly based on what kind of outcomes are we actually trying to get and helping to actually drive those and also thinking about those holistically and even more so thinking about it from a pragmatic standpoint.

Like the higher up you go, the more necessary it is for you to actually become pragmatic and cause you have to keep taking the entire business context. And one of the things that I learned quickly as I was going up, from IC to, manager et cetera, is that businesses require risk. If you are not doing something risky at a business, you probably don't have a business that's going to be successful because it means that somebody else has already done it, right? And there's tons of people actually competitors or it's actually commoditized, et cetera. Risk is where you find opportunity.

And so as a CISO, you really have to actually think about Hey, what kind of risk do we want to enable for the business? And oftentimes there's an IC you're thinking about what kind [00:33:00] of risk do I want to prevent? And that's actually a fairly significant mind shift when you actually think about, okay hey, as CISO my job is to be a company builder, right?

And part of my role from the company building standpoint is helping the company see the risk. Yeah. Contextualize those risks, understand those risks, and also figure out how to actually mitigate some of those so we can actually accelerate and move forward. So you think about what Reddit does, right?

Reddit says Hey, we're not going to get into your business. We're not going to do any kind of Hey, you got to show me an ID so I can do some name verification and all this crazy stuff that some of the other platforms do instead, we say Oh no, come one, come all. And when you do that, yeah, that is a little bit riskier.

It's riskier than what other people do, but it allows us to actually build something great, like Reddit, where you can actually have all these communities that are actually so distinct. The analogy I've given to other people is you think back to the nineties, et cetera, when e commerce first came into play.

Do you know how dumb it is to put your credit card on the internet? Let's think about that at the time. [00:34:00] Yeah, but somebody said, Hey, this is an opportunity. And there is a risk here, but if we mitigate this risk, look at all this business value that we actually unlock. And even more so think about all this human value that we now can unlock.

So you think about things like regrettably even saying the blockchain, I like the blockchain. I don't like the crypto kids, but things like that are enabling technologies that took something that was risky, de risked it. Or, at least reduce some of that risk, made it manageable, and now you have all these great opportunities.

And that's one of those big distinctions, and one of those big maturation points for somebody actually seeking to be a CISO.

Ashish Rajan: So talking about allowing businesses to take risk, in terms of your long term and short term kind of viewpoint that you're looking at, because a lot of people now, beginning of 2024, a lot of people are looking at, okay, this is what is, what's going to be my roadmap for I guess at least for the next few years, maybe hopefully short term, long term.

How are you approaching this differently this time the whole short term versus long term roadmaps?

Fredrick Lee: Oh, I am more of a big idea person. So I [00:35:00] generally actually just think just in long term and recognizing that, especially as a startup kid, short term. Always is going to be flexible, right? And there might be some things you actually have to react to in the moment, but that's the reason why I focus more on the longterm because it makes it easier for me to actually determine what are the compromises I'm willing to make?

Hey, what are some of the adjustments I'm willing to make? Cause I actually want to make sure that I'm always hitting that longterm target. And that's part of the reason why I tried not to overly optimize for a short term, because oftentimes you're overly optimizing for short term. It's like your classic target fixation.

You will now end up starting, staring towards that direction as opposed to the original direction you're actually wanting to go to. I do think for a lot of people in 2024, though, including Reddit, obviously, the economy's turning around, there's going to be, more people online.

There's going to be more commerce bandwidth is getting cheaper. There's more and more devices actually coming to the internet. It turns out we're also still making humans. All these things means a desire for more capacity, but also means yeah, potentially more attackers and things like that.

I think what a lot of people, though, as you said, are going to be focused on is [00:36:00] Hey, what can I do to accelerate my existing security team? Recognizing that budgets are still somewhat tight. Even as we're actually going 2024, so I think you're are going to see a lot more people actually dabbling in the LLM space.

And that's obviously something that, I'm interested in with my team as well. So you think about some of the things you actually just get from that standpoint, think about your classic like security questionnaires, right? Why should I have to fill that out? Why can't I just have AI actually do that for me, even if somebody's format is actually different what I've seen before.

Hey, I have some great salespeople and they occasionally have to actually talk to our customers about security concerns. Isn't it better if they actually have an LLM that they can actually talk to you and say, Hey, what is our policy around this? But I have a customer asking about it. And so I might be overly enthusiastic.

But when I think about the future, I think about all the great things that we will have available and what we actually can accomplish and what we can leverage there.

Ashish Rajan: I look forward to a future where we'll just give a ChatGPT prompt to an auditor as they walk in. And basically they have access to everything and it's almost, it's really interesting because I know how [00:37:00] auditors are usually painted as people who are always untrusting of the answer that the people would give.

And I'm sure Ashish is trying to hide something here. But when it's a system talking, I wonder if they'll be more trustworthy because you can't talk back. It's going to give you some more clarification, keeps giving you information going. It'd be really interesting. And I'm as optimistic as you are about the possible future for this as well.

So that's a great answer. And talking about maybe on a related note, a lot of CISOs probably listening to this. planning and maybe first time CISOs as well who are planning their roadmap. Are there any trends that you think they should look out for? Maybe they might not be looking at it right now, but they should look out for, as you look for the long term roadmap, as you suggested.

Fredrick Lee: Oh, I still think that we as an industry are very early. And everything they're doing for processes, how we think about people, et cetera. And I think like some of the things, so I think that people should be keeping in mind is what can you do to accelerate your business? And what are some of the things that maybe that we traditionally had a ton of people working on that we should now reconsider and leveraging software for?

The auditor question is actually [00:38:00] a great one, right? Think about how much time you spent in the past with yourself or your team, et cetera. Because I know you've been a CISO also, having to go through some of this. Saying hey, we have an assessment coming up. Oh, I got to go gather all this evidence.

Previously, you either had to actually build a bunch of tooling yourself. If you were a more advanced company, but the default was more than likely, Oh, you had a bunch of people that had spreadsheets. They were walking around asking people questions saying Hey, I need to see all the GitHub access.

Cause I need to do an access review. Hey, can you actually give me a dump with that? I'm going to go through it manually. Now we have companies like HyperProof, SafeBase, Vanta, formerly ByteChek, et cetera, who are now actually doing all this automation and integration around. And I do think it's actually still something that a lot of our CISOs need to actually be diving into.

It's hey, what are tools that I can actually look at that's actually going to accelerate what I do today? And to make my people more valuable than they were yesterday. And that's where I still think we have a journey from getting more and more CISOs to think like builders and engineers, rather [00:39:00] than just as like gate and governance functions.

Ashish Rajan: Talking about journeys as well, what keeps you motivated? Obviously now you have a challenging role yourself and obviously in an industry at large as well? What keeps you motivated despite knowing how challenging these roles can be?

Fredrick Lee: Oh, what keeps me motivated is that I'm an angry optimist. And I would argue to say that anybody that is in security for more than five years is definitely at this point, an angry optimist because you're in security because you actually believe that there is a better future, right?

A more perfect thing that we can actually have. The anger is like, ah, I really want to see that future. And so that's actually one of the things that actually motivates me. Like I believe in the true internet, which is actually a large reason why I decided to actually join Reddit. Cause Reddit is probably one of those last real bastions of the true internet.

And so that makes me motivated because I want to protect that. I want to have things like Mastodon flourish. I want to have things like Wikimedia flourish. I want to have things like Reddit flourish, et cetera, because that brings [00:40:00] people together. It democratizes knowledge, it democratizes access, and anytime you can give humans more capabilities and more equality, the better the world becomes.

And I get excited when I talk about it, and I get excited when I wake up, because I get to work on this. I get to actually help make this better for other people out there.

Ashish Rajan: You get to secure the front page of the internet, I guess you would call it as well. Yeah I guess a lot of people for a long time have had Reddit as their default homepage as well.

The subreddit is like a thing where most conversations at least, I know at least the tech friends that I've had, all of us have had that. Maybe another part of journeys also, where do you see them go from a CISO role as well? Because a lot of people are almost going, Hey, I've done CISO role for X number of years.

I've been in a startup or I've been in a medium sized company, where do you normally see people go on from becoming a CISO to what else is out there?

Fredrick Lee: Yeah, like a couple of things that you're seeing that are actually new is people one really now recognizing the [00:41:00] strength of some of these CISOs, right?

And so you're seeing CISOs now become CIOs. So yeah, it's very common now for CISOs to own IT and own a lot of those things, et cetera. So for example, at Gusto, the CIO reported to me, and it makes sense when you actually think about it, because so much more now what we actually think of from a classic CIO standpoint.

It's actually about doing security capabilities for the company, right? Hey, yep, Hey, we got to provision some SaaS apps. Oh, that sounds a lot like a security issue. Oh, Hey, we have to grant access to all these users. Damn. That sounds a lot like a security issue. Also. Oh, Hey, we got to, issue these end point devices and we got to do a bunch of stuff to actually make sure those end point devices are safe.

Oh, that's definitely a security function. The other thing that you see, which is actually, I'm getting super excited about it. I'm super proud of these individuals. You're seeing a lot of CISOs become CTOs. And so Look at github and Mike and obviously coming from the duo background is always great, but CISOs are now more and more coming from origins where they were actually engineers and [00:42:00] practitioners themselves, right?

And so they already understand what it means to actually. Build a great engineering organization because they're security organizations are just engineering organizations and you're seeing them actually take that practice, that knowledge, et cetera, in that discipline to actually scale towards these larger engineering organizations and actually help shape some of these products.

Think about Fox, Melody over there. She used to be the CISO and now she's the CTO at Fox, right? And those are actually just great things because it's also just seeing, Hey, it turns out the CISOs have a wealth of skill sets and probably more so than a lot of other C level execs being a CISO requires you to have a lot of knowledge about all parts of the business in order to actually be effective.

And because the nature of how businesses operate, you have to have deep knowledge about how a technology and a tech organization actually works, which actually is making a lot of these CISOs, phenomenal CTOs. Yeah.

Ashish Rajan: Oh, great examples as well. That's like the last question that I had as well. I've got three, maybe four fun questions for you.

So people get to know you a bit more as well. First one being, what do you spend most time on when you're [00:43:00] not working on tech things like your self hosted Kubernetes and anything else?

Fredrick Lee: Yeah. Yeah. I was going to say, Oh, what am I spending most of my time on? I'm not working, which at this point is Kubernetes and fixing home assistant.

But I love being outdoors, almost anything outdoors related. I love road cycling, I love mountain biking. It is now snowboard season here in Northern California. And that's probably what I'm going to be doing for hopefully the next couple of months, depending on how many snow dances are out there. So please have your listeners do some snow dances for Flee. So that he can actually get enough powder back to ride until at least April. Yeah. So that's what I like to do. Also. I enjoy cooking. I am a video game player. I've been spending way too much time playing Genshin Impact. So also have your listeners, do some primo gem dances for me. So I can get some good pulls.

Ashish Rajan: I would definitely do that. I think you and I already friends. I'm a snowboarder as well. So you and I already friends at that level, man. I think I'm hoping for some snow weather, but I, unfortunately for me, I have to go to Europe. Apparently UK doesn't get enough snow.

Fredrick Lee: Yeah. Yeah. Yeah. I, there's nothing but rocks in the UK.

Ashish Rajan: That's pretty much what I've [00:44:00] heard. I'm like, Oh wait, I have to go to the, but then the sound of going to the Italian apps or a French app sounds much better than going to like up in a mountain somewhere. So I'll take that position. The second question that I have for you is what is something that you're proud of, but that is not on your social media?

Fredrick Lee: What is something that I'm proud of that's not on my social media? My parents. I am deeply proud of my parents. I would argue to say I have some of the most amazing parents in the world, right? My mother and father both, and for the people that are listening to this, as opposed to what you're seeing in the audio, I am black.

My parents are black, being black citizens that actually grew up in the United States, they went to segregated schools. They didn't have the same access that I have now. Part of the reason why I am so excited and passionate about computers is that it was a passion of my father's and he wasn't allowed to do it because of racism here in the United States.

But my parents overcame all of that, right? And, they made sure all of their kids actually went to college. They made sure that all of us were, dedicated to education and self improvement. And they also made sure that we were all dedicated to trying to actually be good humans and probably one of the [00:45:00] most important things I learned from my parents was that.

Anger is a gift and you can use that passion to actually make things better. And that if you are actually making the world better, if you wake up every day with the goal of helping somebody, you're on the right track and you're doing the right thing. And you can actually live with yourself at night. And I'm just super, super proud of both of my parents, just because of all the struggles that they have went through, all the things that he sacrificed for me and my siblings to actually get to the places where we are.

And it just, all the great support they still give me now.

Ashish Rajan: I'm going to make sure the recording of this goes to your parents as well. You get some brownie points there, but definitely shout out to your parents for raising good kids as well. And to your point, the angry optimist is still working through their way as a CISO as well, so the anger is still being channeled at the right place.

It's pretty awesome. All right. Third question is what's your favorite cuisine or restaurant that you can share?

Fredrick Lee: Oh, what is one of my favorite cuisine? Oh, that's so difficult. But I would normally say probably just steak. I'm a very simple person. But if it's not steak, then it is probably brisket because that's [00:46:00] actually one of the things I like to do over the weekends.

I enjoy smoking various meats. Yeah.

Ashish Rajan: Wait, what's the, cause I feel like some people actually have that meter for, Oh, I want 24 hours, 48 hours, or is there like a time period for what's the best time for the smoked meat that you enjoy?

Fredrick Lee: Oh man, it's an organic experience. Every brisket is different but no, like normally it takes me a generally, it's generally going to be at least a 12 hour ordeal.

Okay, anywhere like 12 to 16 hours.

Ashish Rajan: Yeah. And by the way, I'm going to throw in a bonus fourth one, because you've been in the industry for a while. And if one of the few people as well who will remember the waterfall days. Now, when I walk into conversations, a lot of people are straight into Agile.

Oh, yeah. And I talk about waterfall or even like anything before that. So what do you miss about the good old days of waterfall?

Fredrick Lee: What do I miss about the good old days? What do I miss? Oh, jeez. I will say this. Waterfall definitely at least introduces some positive pauses, right?

Where you can say, hey, okay, we're at this stage, let's stop and evaluate before shipping. The downside of that though still is just that [00:47:00] it doesn't, that's still too slow. I prefer for security to actually feel more integrated and waterfall can actually make security feel more distinct and it still pulls us out.

And that's part of the thing that doesn't excite me so much about waterfall still. There are some tools that I miss from waterfall days. Like I probably am one of those people that is, I still like ClearCase still has, Hey, look, I'm old man. I still like ClearCase. I still like Perforce, Wow.

Ashish Rajan: Okay. Wow. Okay. Fair enough. I wonder how many people who are listening or watching this would actually know these. So I'll definitely encourage them to comment below if they actually know those softwares as well. But dude, that was most of the questions I had. Thank you so much for your time. Where can people find you on the internet if they want to connect with you on this.

Fredrick Lee: Yeah, I'm pretty easy to find on LinkedIn. You can, just search for Reddit CISO. That's actually pretty much it. I don't use what was formerly called Twitter just because it's a hot mess now. And it actually turns out I hate being around Nazis. Surprise.

So you won't find me on Twitter. You can occasionally find me on Mastodon, but I'm actually more [00:48:00] tuning down a lot of my social media, like right now, and actually for the last couple of years, Reddit has actually been my primary social media platform. Yeah, that's where the good conversations are going on.

I'm in like security engineering, obviously I'm in like, slash cyber security, all the security. So I'm also in the slash MMA subreddit and some of the things there. Yeah.

Ashish Rajan: Awesome. I'll put that in the shorts as well as maybe I'll. Check up the subreddit for cloud security. And cause I know there's AWS security, Azure security, GCP security.

There's a cloud security one.

Fredrick Lee: You should make one, man. Make one.

Ashish Rajan: Create one. Why not? Yeah. But dude, thank you so much for your time. I really enjoyed the conversation as well. And I can't wait to have a part two of this conversation a few years into the role as well. But thanks so much for coming on the show.

Fredrick Lee: Yeah. Thanks so much for having me. And we were going to have you in person at one of our Reddit security events sometime.

Ashish Rajan: I would love to do that as well, man. I think I'll definitely enjoy that. And considering now we're connected anyway, so there's definitely no escaping this. So as long as you let me play the 90s hip hop music.

[00:49:00] Yes, of course. Yeah.

We'll definitely do that as well. On that note for everyone who's tuning in, we'll see you next episode, but thank you so much for joining us and I'll see you next episode. Peace.