All Resources

CISO to CISO Webcast with Fredrick "Flee" Lee, CSO of Gusto

Webcast and Podcast | Altitude Networks, June 17th, 2020

To learn more about the Rapid Security Assessment mentioned by Michael in this webinar: https://altitudenetworks.com/assessment

About Flee:

Flee has more than 16 years leading global information security and privacy efforts. Before Gusto, he lead information security at large financial services companies and technology startups, most recently at Square. He previously held senior security and privacy roles at Bank of America, Betfair, NetSuite and Twilio. As Gusto’s CSO, Lee leads the company’s information and physical security strategies, including consumer protection, compliance, governance and risk.

Michael and Flee will talk about careers in security, success tips for leaders in InfoSec, general security, and experiences that got them where they are today.

We hope you can join us live and can't wait to hear your questions!

Read, Listen, and Subscribe to the Podcast

June_17_2020-FredrickLee_CisoToCisoPodcast.mp3 transcript powered by Sonix—easily convert your audio to text with Sonix.

June_17_2020-FredrickLee_CisoToCisoPodcast.mp3 was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2020. Our automated transcription algorithms works with many of the popular audio file formats.

Michael Coates:
This is CISO to CISO, a live podcast focusing on information security, leadership, innovation and more brought to you by altitude networks, data security for the cloud.

Michael Coates:
Welcome, everyone. My name is Michael Coates. This is another edition of our CISO to CISO webcast, Super excited. I'm joined today with Flee, so we're going have a great conversation about a lot of things this webcast is brought to you by Altitude Networks. We are a cloud native DLP solution provider. So if you are using platforms like G Suite, Box and others in the cloud, we're that system that are finding data and protecting sensitive data like board decks, salary information, privileged legal documents, any of those things that you don't want shared in the wrong way from accidents of corporate employees, malicious contractors, rogue apps, you name it. So if that's interesting to you, check us out at altitudenetworks.com or at the link below of this recording.

Michael Coates:
So with that said, let's dive in. Flee, so happy to have you here. You have been an amazing places. You are the CISO of Gusto, you've been the head of InfoSec at Square, you've been director of Security at NetSuite, and then more and more and more. Thanks for taking some time out to talk with us.

Fredrick Lee:
Thanks for having me here. I'm always been a big fan. It's always great to get a chance to chat to a CISO neighbor. I love the fact that you're at Twitter and literally right across the street from Square, a huge fan of your work super early and just really appreciate a lot of stuff you've been doing.

Michael Coates:
Thank you. Thank you very much.

Michael Coates:
Yeah, and for those of you that are looking at the video, you might notice we are in this wonderful bar location are webcasting now virtual on location. I wish we were actually here, but Flee, tell us a little bit about where we are. I always like to let the guest pick somewhere in the world. That's interesting to them.

Fredrick Lee:
Yes. So this bar is Dry Martini, is actually a phenomenal cocktail bar in Barcelona. It's actually one of my favorite places. And one of the great things about it, if you actually go to this bar, obviously their specialty is martinis and there's a whole ritual behind the martini, the way they serve it you, the way it is prepared, etc.. In fact, the gentleman is actually in the mirror behind you. He's actually still at that bar making martinis, yet he made several martini for me. And you can actually go there. And when you get served Martini, they actually give you a certificate for the martini when you were served it. And when you go back to the bar, you're going to get extra stamps, et cetera. The whole ordeal. I love Barcelona. I love this bar. I have so many so many great memories of this bar and our memories over drinks. It is just a phenomenal place, highly recommended. And I got the recommendation from a couple of other just great security practitioners. So Dr. Gary McGraw at Cigital, also Dr. Matias Madou, they're huge cocktail fans as well. And both of them actually recommended this bar.

Michael Coates:
Very cool. Well, awesome. So your journey in security, like I mentioned where you've been at some amazing places and you started off towards the beginning in developer role. Tell us about that journey. How did you end up as the CISO of Gusto? Did you know you always wanted to be in that role? How did you make that big leap?

Fredrick Lee:
Oh, that is a great question. So you're exactly right. I started my professional career as a developer and part of that, actually, I went to school for electrical engineering at the time. It seemed to be like the past, as you can probably see from the gray hair I'm a little bit older than maybe some other people here in Silicon Valley. And so when I was actually beginning my journey, just in general, there really wasn't a security industry in the way we are thinking about it today. And so if you wanted to actually get into computer science, those kind of things, you just follow the normal path of being an engineer. I'm super grateful for that because I believe that that's part of my superpowers, my ability to actually write code, to understand code, and even more so, to understand the value of building. So I started my career at a couple of really, really small startups, not startups, even in Oklahoma. So, yes, the Midwest does have a phenomenal tech scene. And then from there, I went on to join Bank of America. This is actually right after the dotcom crash. When I was at Bank of America. I joined Bank of America as a developer, once again, primarily focused on authentication and authorization systems. A lot of stuff around like good management, cryptography and things like that at the time. This is once again super early in what we think of now is the AppSec industry, Bank of America didn't have an application security team. And being a curious developer and just curious about security in general, I found some interesting ways we are at Bank of America thinking give myself a pay raise and everybody else a pay raise.

Fredrick Lee:
So when I found that I thought, OK, I'll probably get fired for this. But being a Boy Scout, I was like, I got to admit this anyway. I need to tell somebody that it was unsafe, unsafe for the company, unsafe for our customers. And if there was anything that's going to be terminated, OK, I'm fine with that. When I told my boss and ultimately told the CISO instead of firing me, they actually said, wow, thank you so much for finding this. How about we do more work in this area? And that was like kind of like my transition from a developer to becoming a true application security person, really like having security as my primary focus of my job. And in the end, at Bank of America, I had the opportunity to take some of that application security work I was doing. And I got involved with this little startup super early, named Fortify, that was working on static analysis. And we were one of the very, very early, early customers. I got the opportunity to work with Jacob Weiss and Dr. Brian Chess some of the things they were working on there and kind of hair club for men type of story like the products. So they were like, Flee, you have to come to California, help us build this thing. And that's how I made my journey here to the to the West Coast. And then from there just kind of jumped around to a couple of other security of other startups, et cetera.

Fredrick Lee:
But probably the big turning point for me was moving away from just being somebody that, analyze security vulnerabilities are made products to help find security issues over to somebody that was actually having to live with security decisions, and I think that's one of the big like light bulb moments, for me that's like the things that I've built, I now have to actually live with those. If I tell somebody, hey, fix this issue or spend all this time working on this, that's now an issue that I have to live with. And that was also part of the motivation for me to, you know, take some of my skills and move more towards, I guess, the pointy haired boss area of being a CISO, because we can actually have a lot of impact, not just the things we could do as an ISD, but the ability to actually build holistic, long live security programs so that we can actually have security be part of the DNA and culture of a company. And I got a couple of really, really great opportunities to start the security team at Twilio along with the founder of Eclipse. So we're like, hey, let's actually really make Twilio into a company that really believes that security can be part of its DNA, you know, to call back with Brian Chess and then go back to NetSuite next time I can do the same thing. And then kind of the rest is history, yada, yada, yada, yada, yada.

Michael Coates:
I remember myself. It was a fascinating turning point going from the external perspective of finding flaws in other people's code or systems to being on the inside. I remember one of the first times we had a cross site scripting vulnerability at Mozilla that was like publicly reported. I was like, oh my God. Like, how could this happen? How could this happen to me? What's ever going to think of me? Like, don't I know how to prevent cross-site scripting? And at that time, you know, it was a team and it's the element of systematically preventing issues at scale. And it was such a mind flip because technically it's super easy to prevent cross-site scripting, like conceptually you just outputting code. That's not hard. Doing that at organizational scale with all your developers, no one ever making mistake or having the frameworks there to do it. That's like a whole another ball game that blew my mind. And that was some of the same things you're saying. It's really cool.

Fredrick Lee:
And I look, you already kind of like honed in on that problem look like how you do this at scale. Right? Like, I think earlier in my career, I was definitely a frustrated security engineer is like, oh, why are developers doing this? Oh, developers are so dumb or blah blah, not recognizing my part in that. Meaning that, am I keep giving developers the right knowledge to do the right thing? Essentially Am I empowering developers to be better at security? Do I give them the right tools? Do I give them the right knowledge? Am I there really along on the journey with them? And do I have the right empathy to really allow them to move at development speed, but also being security conscious? And that's with another huge light bulb moment for me. I think I really leaned into that heavily, particular at Square where it really is all about build, build, build, like what are the things that we can do as security practitioners or security organizations to build a safe ecosystem so developers can make the right choice, it's actually the default choice. When you think about stuff like cross-site scripting, it is a fairly complex thing. It's not the developers can't understand it. So there's so many other things that you're wrestling with. That is something that we understand really, really well as security practitioners. So let's actually put our engineering hats on, help improve frameworks, help improve some of the other things so that developers are almost kind of like, you know, by default, they're saved. One of the things I try to strive for is 80 percent of the time I want my developers to kind of just be making the right security choices without the security team being involved. The long term vision that I have with the industry that I would love to see become reality is that security teams essentially become smaller and smaller and look much different because developers themselves are actually doing security and they're doing that naturally. And it's through us that keep giving them the right tools and building the right things.

Michael Coates:
Yeah, no, I agree. That would be that'd be a wonderful direction. And I think some of it is the way we see the world is almost influenced. You know, the differences between Silicon Valley companies, the speed at which they have to move were forced into this go fast. And then that heavy focus on engineering, which you kind of compare to a big bank in the Mid West, is a little bit different, like we're going to stop everything and you're going to go through a big heavy choke point. You can see that whole world flipped on its head by nature of the companies that we are at.

Fredrick Lee:
But I would argue to say that even some of the, quote unquote, large banks, actually could benefit from the same idea. How do you actually get developers more involved? We do know that, at least in our current thinking, and I definitely can riff on this a little bit more, that the amount of security practitioners in the world is just smaller than what we need. Even if you're at a large bank and you're in a large security team, you're always going to be outnumbered by the developers. So we need to figure out better ways to enable those developers to operate securely, even with a small security team or with even a nonexistent security team. So that means that even a place like, you know, whatever large Midwest bank you can think of or East Coast Bank, et cetera, you want to actually practice a lot of things that people here in Silicon Valley are doing, like a lot of those things from like a developer enablement. How do you keep power people? How do you turn security into a benefit as opposed to a cost? Right. Like even at a bank, they want to move fast, but there's money involved. They want to get more money. The more that they can ship out new features, the more you can get more customers, et cetera. That's beneficial to a bank as well. So they have a lot of the same incentive to adopt some of some of these models of what modern security should look like.

Michael Coates:
Now, along those lines, are you seeing a shift in the CISO role itself? You're touching on some of these these ideas like developer enablement, engineering driven. It seems like there's a few different flavors of CEO roles out there. What do you see as the direction forward there?

Fredrick Lee:
What do I see as the direction forward there, and hopefully is mostly what I also want as a direction forward. A couple of things. I really do want to see more CISOs as business enablers as opposed to just a checkbox or just purely a compliance type role, not in the way you don't need compliance in government, but as a security team, they're expensive. And it really should be adding value to the company even more so. Ideally, the security team should be giving the company a competitive advantage. So what they need from a CEO standpoint is that the CEO should be really thinking about how do they accelerate teams? How do they allow teams that could be more self-service? How do they allow teams in the company to really understand pragmatic risk taking? Because I know there's actually tons and tons of vulnerabilities out there. There's tons of different things for security teams that can be fixed, which are the ones that actually really important. Like we need more CISOs thinking about the idea that the role really is about helping a company understand and manage risk, not stopping risk, because we actually do need to take risk, the entire reason we're going to visit, etc. this idea of, okay, we're going to play some bets and those bets are things that other people haven't done. And let's figure out a way to actually control that risk in such a way that we can make a great product, make something that the consumers like that's also safe at the same time. And that's where the CEO comes in. How do I allow this company to make a great product while also keeping the company and the customer safe?

Michael Coates:
Yeah, it's so it's very refreshing to hear that, understanding pragmatic risk. I think that I think that's really spot on. One of the challenges I've seen historically with the CISO role is the accountability of risk has been totally skewed. So they become accountable for every risk without the authority to impact the system. So naturally, if you are responsible for every problem, you're like, stop, don't don't do it. And I love what you're saying, which is what if we empower teams to be able to take risks, which is also accepting responsibility and accountability there, but then suddenly you've got a whole different model and you can do all sorts of really cool things.

Fredrick Lee:
Oh, and it's phenomenal. I've definitely gotten the benefit from that at Gusto and it's as well at Square that has a similar model now. And I believe that at Twitter was the model that you pushed there as well. This idea that the person who's actually kind of proposing these product things, they ultimately own the risk. And when you tell an individual to, hey, you're actually responsible for the outcome here, both good and bad, actually make different decisions. And then your role as a CISO and security team is really about providing them that visibility. The analogy that I've used with other people, it's like when you were a broke college student, right. And you're spending your money at Pizza Hut and maybe the bar occasionally and you're not paying attention how much money you're spending, but maybe you get a copy of Quicken, Quicken was with my days, but maybe using Mint or whatever.

Fredrick Lee:
And you see, oh, wait a second, this is where my money is going. Once you understand where these things happen, you actually make different decisions. But when the security team is labeled as the risk owners, you are actually decoupling that from the people making the decisions. One of the things I've got to talk to other people about is to some extent, there's things that security just can't do from a risk standpoint. So we know the developers and moving at such a speed that even your security team is set up in the traditional Gates model that whatever you've reviewed, whatever you've assessed, is going to be different in production than what you actually looked at, because you did that assessment a week ago, two weeks ago, three weeks ago, or even a month ago, and what lived in production now is like you being released like several times a day. And so changes have already occurred. So it's better to actually push that down to the people who are actually doing the changes and really making sure that they own it. And that has been a super healthy model. What I found with this model of the product owners actually owning the risk, they actively bring in security. They actually want security to help them. I'm an unfortunate situation. I just weren't actively. Team saying, like, hey, Flee, give us more security help. Hey, Flee, can I have your security engineers come here and take a look at what we're doing? Hey, Flee, what do you think about this? And it's actually such a great feeling because it also is great for the morale of the security team.

Fredrick Lee:
Like they no longer feel like they're the cops or the bad guys. They really are there as enablers and they really feel more like a part of the engineering and the company building effort as opposed to the people slowing people down and the people that are actually being avoided in the cafeteria, et cetera. Speaking of avoidance, are we going to avoid this question about the matching shirts? I love the fact that that we have great taste and hairstyles. Full disclosure, this shirt was a gift. So this is actually somebody else's great taste.

Michael Coates:
But, yeah, when we go to the Martini bar, you feel you need a blue speckled shirt and no hair. I think it's a given. I think anyone would do it.

Michael Coates:
That's good stuff. OK, so let's see. So we talk about about the CISO as a business enabler. Love that. We talked about risk ownership in in the teams. That makes tons of sense. You are touching a little bit on this engineering focus. Do you see do you think there's a shift there? Is that where security teams are going to? Taking on more engineering elements to empower teams? Or how do you like to structure your teams with this thinking of engineering?

Fredrick Lee:
I love builders. I love engineers. And part of the reason why it's so great is that engineering scales. It just does. Like doing a point in time assessment or somebody sitting down with me like, hey, this is broken, blah, blah, blah. That doesn't scale. Like maybe you can do that assessment one time, but now that person has to come back to you again. If I build you a framework, if I build you something like that, tokenization service, I build for you a better crypto storage system, then that's actually something that scales across all the engineers. You actually get to solve fundamental problems that everybody in the company begins to benefit from. And that's actually one advantage of adding engineers to your team. My team at Gusto is primarily engineers. Most of them can actually write code. They don't initially actually write code day to day, definitely a team that literally is kind of their primary function. Same thing at Square. Same thing at Twitter. We're seeing more and more of these modern teams and like, hey, wait a sec, there's so much power in software. Let's use that. One of the other great things is that we used to think of security as actually just being kind of like just a policy type thing and a policy type function like, hey, we're going to write a bunch of guidelines. How many times you actually see someone actually read those policies? It's all fair and good and they might actually read the policies. But if you turn those policies into code, you know you're getting your way, and that actually turns the policy into something that's actually real and not just a checkbox if you show to auditors. You can actually say, hey, not only is this our policy, but here it is in code, here's how it works. Here's how we actually audit it. Here's how we actually make sure that actually works, et cetera. It's just a much more scalable fashion. The other great thing is that you can essentially steal from other teams. You know, there is kind of that, quote unquote, hiring gap. I still have issues with that. But by bringing in engineers, they don't have to necessarily be a security expert to contribute to security. Because if you have other security experts within your team, they can help out design some kind of software that we want to see. They can help improve frameworks. They can help your dev ops team actually deploy AWS in a safe way, scalable way, etc.. So that's actually one of the things, you know, one of the things that engineers actually bring that's value there. The other things that engineers in general really do have, the notion and opinion that their job is to build and find yes. And that's actually one of the things that I think more and more security teams need to have. If you have a security team, or you work with a security team, where their mantra is not find yes fire them. You have to have a security team that really wants to be creative about finding solutions to security problems that aren't just saying, no, you can't do that. Because saying "no you can't do that" doesn't scale. It also doesn't work and it doesn't help the business and it doesn't bring delight to our customers.

Michael Coates:
So, yeah, yeah. That was something that was successful for me as well on Twitter for sure. Having a portion of the organization be a security engineering team, which was largely comprised of developers that wanted to build solutions for security feature, or in the vein of security. And just like you said, that helped a ton for hiring, mostly even internal transfers. And that that's like magic because you get somebody who already knows exactly how the product works, that you're securing. They know the norms. They know people. You build goodwill real quick with that. And I think there's certainly a desire to teach everyone code to some level. But I would also say at the same time, we had the pure policy teams. We had the consultative, assessment type teams, but the blend of all of them gave you this, just like a rock star team that was really cool.

Fredrick Lee:
It's a superpower. And a lot of engineers are actually writing code. But probably the bigger thing that I like to see and what I want my teams to have is builders. And I actually pointed out something about policy. A policy is building and you can actually be a builder by actually writing policy and writing policy that's actually right sized for your company. One of my philosophy at Gusto is that we don't want, quote unquote, aspirational policies. And we see that all the time where a company is like, yeah, we wrote our security policy. Here's all the things that we do, etc. When you actually go look underneath the hood that actually isn't there, they don't actually do that. For me it is preferable to have really great builders are like saying, hey, I'm going to write the policy that reflects exactly what we have and then start thinking about, well, how do I construct a framework for the company that allows us to actually get to that next level, that addresses some of those gaps we actually might see there, and that's where that build mentality comes in. So you don't have to be somebody who writes code to be a builder is almost like a state of mind to be an engineer. When I think engineer, I think somebody who wants to solve problems. They want to be creative and they want to solve problems. So it's not just about writing software.

Michael Coates:
For sure. So you mentioned something that is a really great interest of mine, I believe, of yours as well. But you mentioned hiring and security. And I mean, I've seen really bad hiring practices in places, that's for sure. There's there's so many ways to do this wrong. And I've seen also lots of glimmers of hope of people doing it better. But I mean, amazing teams are comprised of amazing people which come from diverse skills, diverse backgrounds, diverse walks of life. How do you build that great team and what challenges you're seeing in hiring and how are you tackling those?

Fredrick Lee:
I think one is limited to just having an open mind and also remembering where we as security practitioners came from. Like, I'm definitely old enough that I pre-exist certifications, I pre-exist being able to go to college for these various things. How I learned and got into security, obviously, at least in the 80s and 90s, was the traditional path. But it's a non-traditional path now, meaning that, yes, I got started by tinkering and breaking into stuff. And that's what we love about security and quote unquote hackers.

Fredrick Lee:
But also recognizing what that means was like, hey, wait a second, I was getting skill set that had nothing to do with a certification or whatever classes I went to or even like the university that I went to. So we should be much more open minded about how we are looking to hire. One of the things I like doing is actually really looking for certain kind of attributes of a person as opposed to a particular skill set. And what I mean, I guess you might know how to use Splunk, but do you actually really understand what it means to be a threat hunter, meaning that you actually really know what it means to take a brand new system you haven't seen before, and think about how would I do forensics here. Or take a protocol you haven't even heard of. Hey, how would I analyze this protocol and break into that? So those are actually some of the things you have to think about from an interview standpoint. So I keep breaking out our interview process, look more and more about attributes that we actually want to see in an individual, as opposed to the specific toolset that they may or may not know. Toolsets change all the time, like the stuff that I was familiar with in the 90s doesn't even exist anymore.

Fredrick Lee:
Right? I probably don't even recall, like you remember, Satan or some of the other, like, old school tools, etc.. The other big thing is actually making sure that we are very open minded in our network and looking far, broad and wide and recognizing something that could do there. There is a young lady I love to brag about all the time. Her name is Alexandra Nassar. She's a program manager now. And when I met her at NetSuite, she just worked at the front desk, but she had phenomenal skills, would actually one being organized and also working with people. She was probably one of my strongest team members because she was able to go and communicate to engineers and I can get them to change behavior. So it's really actually I wanted to focus on that attribute, that skill set that I needed, as opposed to whether or not she actually needed security. The thing that I've learned is that once you start having a diverse team, it actually makes it even easier to have a diverse team because other people, they're like, oh, wait a second.

Fredrick Lee:
Yeah, come to join this team of people that look like me, I could feel comfortable there, and I feel like I won't have an imposter syndrome, or I feel like this will be a team that's actually open to the the thing that I bring here. I think one of the other important things for us to do as hiring managers is to also dismiss some of the stereotypes we have about what a security person looks like. I definitely do not look like what most people think of as a "Hacker", even though I don't know about my own past. And there's tools and things like that I've built. But I don't have a mohawk, actually I don't have hair, and in case it's not obvious from the webcam, this isn't a trick, I am black, I'm not white. It's like all these other things that people think of stereotypes, we just have to toss those out and toss out the idea that, hey, you have to have certain credentials, you have to have this kind of education. One of the strongest engineers that I've ever worked with, I'm pretty sure he does not have a college degree. I'm not even sure you can graduate high school. But he's like one of our robots. He's just phenomenal. And he really has the aptitude, the attributes and the skill set. And that's actually part of the reason why I also kind of think that the idea that our security hiring challenges are pipeline related. I disagree with that. It's just that we're not being creative enough, we're not being thoughtful enough, but how we examine candidates and how we're actually interviewing and building these teams.

Michael Coates:
Mm hmm. Yeah, I think that's spot on. There's there's some amazing people I've worked with and their backgrounds have all been very, very different than what you would put down on a stereotypical like this is a great background. You know, one thing that I find very interesting and I kind of urge everyone into this, if you have someone wonderful to work with and you get a chance to talk about what they've done in life, you might find what I found, which is they have shown success in weird and unusual situations. Like somebody I worked with was just amazing. And I believe you had a summer job overseeing like a farm. And he's not a farmer. And and he was successful like this ability to be thrown into a crazy, unique situation, figure out how to be successful and then execute is a really powerful skill in security. And to your point, like, yeah, we have we have to look at this a little bit different to find those those attributes that really matter and throw out the ones that are that are stereotypical and hold us back.

Fredrick Lee:
And the companies that are doing that already have a super power and they're out competing everybody else, because they can just draw in talent so many different places and get so many different views. And it's just so many things that can help improve product. A great example is some of the things are actually going on now we are seeing in the ecosystem. So when we think about some of the things like privacy concerns and things like that, privacy impacts people in different ways. And by having more diversity in your team, you have more perspective about how to look at your product, how do you make that improved, et cetera. So it's just super, super important and ultimately end up with a better product, ideally a better team and hopefully a happy, shiny, better life, et cetera.

Michael Coates:
Yes. So we have a few more topics we're going to hit. Those of you listening live if you have questions about stuff we talked about already, if you have some things you want to pepper Flee with, throw them in Q&A. We'll get to a few of them as time permits. So don't forget to do that.

Michael Coates:
So I want to pick your mind here about two different opposing forces that I'm hearing. I'm hearing the business enabling CISO and I'm also hearing the engineering focused security team. So how do you in that middle spot as the CISO balance technical hands on versus hands off managerial?

Fredrick Lee:
Well, I'm definitely guilty of this, meaning that as a former practitioner, it is hard not to get your hands dirty again. And like that there's this part of your brain that diving in, opening up a terminal, doing something, it just makes it tickle. And it is hard not to want to do that. The better thing to do, though, is to write more. And this is actually a weakness that I want them to write more. Explain your philosophy to your team. Help them understand why you want to have a certain approach, and then get comfortable being uncomfortable, because the discomfort that's going to come to you is that they're not going to do everything exactly like you want. You want to give them the right tools and effectively get out of the way. But also recognize that your job as a CISO is to kind of set the direction, the path, and hold your team accountable to actually hitting those targets. I'm a huge fan of actually just being data driven. So if you're building things from a security standpoint like, hey, what does this assess criteria look like? They were building out a new capability? OK, hey, now we have this new capability, so, for example, maybe you have a modern time like detection and response team, like, OK, well, one of the things your detection and response team is focus on doing is like building out the technical capabilities.

Fredrick Lee:
So you tell the team, hey, I want to see this in the world, I want to see this kind of capability, and I want to see some way to actually verify and check that. Like I said, it's tempting that you put your hands back on it yourself, but it's actually better if you actually really set up what the success criteria is or what the actual objective is and how you get to want to measure that. And that's actually probably more important thing for us to do as CISOs, it's an important skill just in general in this leadership role to keep going. How do you actually measure success? And that's one of the areas that you come from a balance standpoint. When it comes to like having a servant oriented type security team means your security team there is to provide a service to the rest of the company. So also figure out like, hey, does a company actually like what you're doing? Like you really do you want to think about things like quote unquote NPS. It's OK. Are your customer satisfied? Do you tell your customers that they are OK to fire you? And I know it sounds somewhat controversial, but if your security team feels like they can be fired, then it actually make sure that there isn't symptoms are along with the customers that can really deliver them, the actual value there.

Fredrick Lee:
There's definitely a nuance there. Because your security team has multiple customers. There's obviously the product team is actually one of your customers, but also the rest of the C suite, and as well the board of directors are also a customer, and they do have different concerns. Not all of them should fire you, or at least they all shouldn't fire you all at the same time. But it does mean you have the right incentives that you really do the job of security.

Michael Coates:
Mm hmm. Yeah, yeah. That customer oriented mindset is really great. And then that that flips the whole thing on your head. Like, of course, you can't be a security team that says no, that that doesn't achieve value for the business. That's not customer oriented. I think being the champion of those things and I love how you mentioned, you know, net promoter score, um, those kinds of those kinds of things, like just asking other parts of the business. Like what are the best ways for us to help us? What are the biggest things you're concerned about that those are really powerful discussions I found for sure.

Fredrick Lee:
Oh, like one of the core values we have at Gusto on security team is this idea of lovable security. That actually was stolen from Alexandra Nassar. What we're doing some stuff at NetSuite, she's like where this thing that we call the security rainbow, which is kind of how we communicate it to the company around security, she's like, hey, what about lovable? Security needs to be lovable, it needs to be a team that other people want to approach, that they adore, that they want to be engaged with, etc.

Michael Coates:
Well, I like that. That's really cool. It's really cool. All right. Let's start with you, Thomas. Let's bring you one of these questions. All right. So question from our live audience. How do you see the consumerization of security improve in a post Covid world? Or do you think it improves?

Fredrick Lee:
No, you know, I do think that it is going to improve and I think I'm not a huge fan of this avenue for security and keep getting the kind of attention that it's probably needed for a while. But I do think a lot more people within your company, outside of companies, are now understanding a little bit more about what it means to prepare for these black swan events and the value of that. So, you know, at Gusto we're in a fortunate position that we did spend a lot of time thinking about business continuity, thinking about disaster recovery, thinking about what it means to have a remote workforce, et cetera. So even though it wasn't something that we thought we were going to be using this year, it turned out all that preparation work was useful for this Black Swan event. And people inside the company now, they're like, oh, wow, all those things to the security team was talking to me about the questions that were asked, asking about critical systems, etc.. It all makes sense now because now I have access to all these various things and we see that in other companies as well. I think some of the other things you're seeing is some of the more interesting approaches towards endpoint security and how to do that.

Fredrick Lee:
Like what are the things that, you know, teams and company should be concerned about. Because now we have tons and tons of people operating on networks that are not controlled by the company. Like you might be connecting with a VPN, but you're still on your home Wi-Fi. What happens when you're disconnected? What are you actually doing on your laptop? As our workforce exists today, more and more people are treating their company assets as a hybrid asset. What I mean by that, they use it both for personal and business use. So how do we actually make that safe? And I think a lot of people are really experiencing the value that the security team is actually bringing there to help them do things like that. So we know that, for example, somebody might be using their laptop and maybe they are in G Suite or something like that. So what are tools we can actually roll up to make G Suite safer? Are there things we can actually do to make email safer? Are there things we can actually do to make things like document sharing safer, et cetera. In particular, now that people have in their mindset that their machine is a hybrid machine. And I think you probably you may have made this mistake in the past yourself, but classic like the classic thing, for example, in G Suite is I have your email address and I'm writing a document right now and I have, you know, michaelcoates@gmail.com. Because we've exchanged emails personally or something like that. And now I'm writing a sensitive document and I'm sharing it with people. And instead of like Michael Cote's, as your business address, I actually would send it to the wrong address. Are there protections we should use? We should expect people to make more of those kind of mistakes I already seen in the past, even more so now than this hybrid model where like, hey, my work computer is my personal computer. Sometimes my personal computer is my work computer. So those are also things that I think that are really, really impacting. Things that in Covid it's kind of exposing that, because now we have people doing this at least eight hours a day where they're at home using their personal computing device or their business computing device in this hybrid model.

Michael Coates:
Yeah, the cloud reality and that misalignment of work and personal access and resources. I saw that a fair amount at Twitter and still coming, and that was before this new Covid reality. And you're right, I think it's increasing even more. That example you mentioned in particular, certainly an area that I know well also, something Altitude Networks focuses on extensively that in variations.

Fredrick Lee:
One of the things that I've seen that come across so frequently in the document sharing scenarios in particular is like dealing with board members.

Michael Coates:
Yep. Oh, yeah. Or next board members all the time.

Fredrick Lee:
I know we have more questions. I don't want to ride along for too long. You know, I'm from the South so I can talk forever though.

Michael Coates:
I like it. I mean you put us it put us in a bar, you give us some drinks too. Let's talk security. We're going to keep going, OK? Let's say we'll mix them back and forth here. I've got a quick question for you, which is what should people be reading or following for security? You have a favorite Twitter account, book, website. I don't know anything.

Fredrick Lee:
Yes. I have several. There actually is a new website slash newsletter slash Twitter account that I have gotten a lot of value out of. It is called the TL;DR Sec. Yeah, I love it just because it does a really good job of capturing new innovative security engineering works, like true security, engineering work. And it focuses a lot on building tools that you can actually utilize in your day to day. It does a really good job, actually, also just digesting that information. So it's run by a gentleman, Dr. Clint Gibler. He spent a lot of time actually just going to conferences, and reading through and poring through some papers and just various different announcements about what other people are actually working on. If I only recommend one thing for people to follow, just across the border it'd be TL;DR Sec. I'm a huge fan of a couple of blogs. Obviously, I'm biased. I still love Square's blog. I think that Square actually does a really good job of actually promoting some good engineering and security things there. Segment has a phenomenal blog that actually they've benefited from stealing a lot of great hires, in particular for their security team. I'm still angry at them for that, but I love the work that they're doing over there. I can never say enough things about the Netflix and their open source blog and the things that Jason Chan has actually been doing. They're pushing the boundaries of security. If it comes to books, probably one of the books I recommend the most is security engineering. And it's free. You know, obviously you can go and buy it on Amazon, but you can also just Google it and the book is there and you can just download the chapter and actually digestible. And it actually obviously security is a vast field and there's so many different things and different portions of that. And I think that book actually really captures all of it in a way that's actually digestible, even for somebody actually early in their security journey. It is one of my favorite books to recommend to people. So it's always try to give a shout for that as well.

Michael Coates:
Awesome. I will track those links down and we'll put them below the share recording. For those of you listening, those are awesome. And I second the TL;DR Sec, that's for sure. I came across that one as well. Talk to them at right before RSA, and it's awesome. It's a good one to subscribe to. Alright, two remaining items here. Let's see. Let's work on another question from our audience. How do you think about connecting product security with the user in the future and partnering with your users to achieve better security for them and your product?

Fredrick Lee:
Oh, I love this topic. And it goes back to the whole lovable security thing. I would love to see more and more companies. One actually think about their security UX, like what is the actual user experience for the security controls they put in place? So can you make 2FA more palatable? I mean, like, obviously I'm a huge dual security fan, I think they really nailed that, pretty much everything Dug Song is gold. But, you know, that's a good example. Somebody is really thinking about the experience of security and how it actually impacts in users. And you're in this scenario now where people are delighted with dual, and they're like, hey, I want more dual because it is so easy to use and I feel safe. But it actually turns out the users want security. They just don't want obnoxious security. They don't want something that can be overly complex, something that can be extremely disruptive, etc. Also, I like to think about what are some of the things that we'd like to have as security practitioners that maybe an end user would. And I think a lot of this is a lot now and products now, like the classic things like, hey, you know, as a security practitioner, I do care when there are significant changes made to an administrative account or, you know, those kind of things. And it's like, hey, well, we should probably exposing it to end users as well. I think a lot of people probably familiar maybe seeing this now in Google. Google will say, like, hey, we saw you log in from this device or you can even go and check in your Gmail. Hey, where are the last logging activity? The more you can present some of these telemetry to end users in a way they understand the better. It's still a long journey for us and the security world to get better at that. There's a lot of people actually thinking about this concept of user focused security. And so I think it's actually a really, really interesting avenue. I would love to get more people involved in that, because it's also one of those areas where we can actually bring in more and more people into security. You don't have to be a hacker to understand that, hey, you know, one hundred and twenty character password, probably difficult for a lot of people to remember. You don't need to be a hacker to be able to do that, but you can actually, you know, help people actually develop really, really innovative designs, things that actually a lot more humane. And I think it's something you all often forget about in security. We often forget that our job here is that we're actually trying to protect and enable humans. And so we have to make sure that we always think about the human that is at the end of that experience. I can go on in this topic.

Michael Coates:
It's a good one. Security usability is fascinating. I got I would say when I joined Mozilla and we started thinking about some of the elements in Firefox security elements that were facing users, like, that was a big smack in the face, like this notion of showing someone like there's mixed content on this page, do you want to continue? Like, wait, what does that mean? Like, we know what that means if we think for a sec. But like, you know, regular old users are just trying to shop or buy something. They don't know what that means. And they're going to say continue because I need to buy a sandwich or whatever they're doing. And it's really fascinating, like, well, how do we do something that helps them understand and make a decision? And the classic fail I've seen is, are we punting on something that we don't want to deal with, to give it to the user and say, oh, user choice? It's not user choice if user doesn't know what they're doing. That's just failure on our site. And that's hard. That's really hard. All right, so last question for you, based on everything you've seen, what advice would you give to someone that wants to get into security maybe they are at their beginning of this potential career? Maybe they're going to make a transition from something else and maybe one day they want to be a CISO. What's your advice to them?

Fredrick Lee:
I always feel like there should be a support group for people who think they want to be a CISO. I love being a CISO. I love the people I get to work with. I love my team and all the things they have brought me. But it's definitely, definitely a choice. And there are definitely other ways and other enjoyable things as a security career. So I'm happy to talk to anybody who wants to know about my journey as a CISO, the positive and the negatives, et cetera. With regard to actually just getting started in industry, recognize that: one is that there are tons of resources available for you to actually go and learn from. One of the things I do always recommend is learn to program. Even learning just how to make a basic web app teaches you so much about a lot of things you think about in modern security, that having that fundamental knowledge there almost gives you a superpower over other people that may have had, you know, the quote unquote CISSP type route, et cetera. Being able to actually build and understand the underlying technology just gives you a superpower immediately. Also recognizing that there are multiple avenues into security, you don't have to just be a hacker. You can actually be a builder. You can actually think about how do you build tools, how do you actually add value from that standpoint? Definitely take advantage of some of the easy resources, like, OWASP you're familiar with that.

Fredrick Lee:
OWASP is a really, really good resource. I actually go and learn some really, really basic things. If you are interested in some of the hacking stuff. I'm a huge fan of PentesterLab, they have some really, really good online materials, good online training. Some free, some paid. That's like another good resource. Also, reach out to the network. You know, there has been a I guess maybe this image of security people being jerks. We're not all jerks. And I love to help people learn. I love to help them. And I got to benefit myself from other people actually reaching out to me and helping me actually learn on my journey when I got started in security. And I'm I'm pretty sure it's the same thing for you, Michael. Security was all about the community and actually helping each other. Everybody sharing knowledge about something that you found with somebody else, that DNA is still there. So, you actually reach out and you say, hey, I want to learn something. There generally will be someone who is actually willing to say, oh, yeah, I'll teach you that.

Fredrick Lee:
I'll show you at least how I do it and I'll show you a little bit of knowledge that I have there. Probably the final big thing is embrace failure and don't give up because it is it can be hard, like learning Some of the first things will take a little bit of grit and you won't get it immediately. You might fail. It might seem complicated, but there's going to come a moment where it just kind of clicks for you. And that you're going actually move forward and actually build from there. And actually, I lied. I do have one other thing, which is something that I've wrestled with trying to explain to other people. There actually aren't a lot of shortcuts to learning security. And what I mean by that is I've definitely had people who've asked me like, hey, how do you know this thing? How do I learn to do this kind of architecture? And there isn't something I can actually tell you that's going to be 30 minutes. I can tell you tons of things that actually, you know, you build all these skills over months, years, etc. and it's really about the synthesis of all the various small experiences that you've had that actually lead you that to be in a really, really great security practitioner.

Michael Coates:
Yep, yep. I agree. There's certainly an element of hard work and grit getting in there, figuring things out, that's for sure.

Fredrick Lee:
Embrace the grind. Man, embrace the grind.

Michael Coates:
Yeah. Awesome. This has been this has been wonderful. Flee, thank you so much for your time. Really appreciate it. Thank you to everyone who joined us for this live. Pretty awesome to have you here. Taking a moment out of your day to join us in this nice place in Barcelona. And thank you to the people that are watching this recording in the future. But this was Flee, who you're with for this last forty five minutes and all his wonderful information. I'm Michael Coates. This is brought to you by Altitude Networks. If data security in the cloud is something you are thinking about, check us out. We have more CISO to CISO webcasts coming. So do follow our LinkedIn page or Twitter as well, we will announce them there other great minds it'll be on here sharing their thoughts. But again, thanks so much and thanks everyone for joining us.

Fredrick Lee:
Thanks for having me.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Automated transcription is getting more accurate with each passing day. Do you have a podcast? Here's how to automatically transcribe your podcasts with Sonix. Rapid advancements in speech-to-text technology has made transcription a whole lot easier. Do you have a lot of background noise in your audio files? Here's how you can remove background audio noise for free. Sonix takes transcription to a whole new level. Are you a radio station? Better transcribe your radio shows with Sonix. More computing power makes audio-to-text faster and more efficient. Are you a podcaster looking for automated transcription? Sonix can help you better transcribe your podcast episodes.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2020—it's fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

Subscribe for More

Get notified of future CISO webcast and other excisitng security content

Thanks for subscribing!

Ready to get your Cloud Security in Check?

Fill in some contact info below or schedule a meeting so we can reach out to provide more details on how Altitude Networks can protect you from data loss in the cloud.

We'll be in touch!
OR