Social networking website Reddit announced the appointment of its new CISO, Fredrick “Flee” Lee, in July 2023. Drawing on over 20 years’ experience in the information security industry, Lee has been tasked to mitigate risks and overcome the challenges around information security, privacy, and compliance at the company. This represents a unique challenge given the vast range of users and content creation on the Reddit platform.
Infosecurity caught up with Lee to discuss his new role, his approach to leadership and the power of diversity in cybersecurity.
Infosecurity Magazine: What inspired you to take up the CISO role at Reddit?
Fredrick Lee: I’ve been a Redditor for over 12 years and strongly believe that it’s one of the few places on the internet where anyone can participate and find their community. Whether it’s memes, hobby tutorials, financial advice or advice on complex relationships, Reddit is filled with deep, nuanced conversations that build bridges and connect people over shared human experiences. This has consistently attracted me to the platform and is also why it’s where I feel most comfortable online. I’m looking forward to playing my part in helping Reddit and its online communities continue to flourish.
IM: What are your priorities in the role of CISO over the next 12 months?
FL: I will be spending a lot of time listening and learning about Reddit from colleagues across the company during my first few months. My goal is to spend an ample amount of time getting to know my security teammates as well as understanding different insights and opportunities from other Reddit leaders. I will also be working to understand how we think about security and what my colleagues need so that we can create a world-class security organization.
From there, I’ll be connecting the dots between our security team’s efforts and the company’s strategic priorities. This means looking at our current roadmap, resourcing and team structures, and how the security and privacy posture supports our company growth and platform innovation while also keeping our platform and our users secure.
IM: How have your past experiences in cybersecurity have prepared you for this role?
FL: Having an early jumpstart in cybersecurity has allowed me to help shape and experience technological advancements as the industry has evolved. Starting my career during the formative years of the internet has given me a real appreciation for the fact that when you are creating things from the ground up, security and engineering need to be aligned to do more. This has been an enormous benefit, particularly as I’ve developed my own philosophies and approaches to security.
"Establishing credibility in the industry and building executive presence is more difficult as a black man"
One of my strongest-held philosophies is that security needs to be approachable, which means that we are constantly thinking about how we should interact with humans for them to have a great experience. After all, we are attracted to things that delight us. There are lots of great examples of this, such as companies moving from passwords to touch or facial recognition.
IM: How has your approach to leadership evolved during your career?
FL: Diversity of thought and experience is incredibly powerful and is something that I anchor my leadership principles around. At the beginning of my career, I would seek to work and hire people who shared similar job experiences as I did. The pitfall was that I overlooked hiring some great talent. I’m now more focused on taking a ‘first principles’ approach, which means I’m evaluating someone’s attributes and potential more than specific credentials.
I also strive to have empathy and communicate about why we are making certain decisions. Working in security can be difficult because you are often balancing multiple priorities and risks, and you have to get buy-in from the whole organization. Without empathy and explaining the why, you’re going to have a more difficult time effecting change.
IM: What have been the biggest challenges in your career to date, and how did you overcome them?
FL: Race has always been a major challenge throughout my career. Establishing credibility in the industry and building executive presence is more difficult as a black man. To some, I’m not what they expect a security leader to look like. However, I’ve found success by unapologetically being myself, knowing my strengths, and continuing to do what I do best.
While these diversity issues have been gradually changing in the industry, it’s something that we have to be incredibly focused on as a broader community. If we don’t have a diversity of human experiences, then we won’t understand how to secure our wider communities, whether they are online or offline.
IM: What are your biggest concerns within cybersecurity today?
FL: From a technical standpoint, I’ve noticed that there has been a significant increase in ubiquitous bandwidth. For example, your phone is permanently connected at a high enough bandwidth that hackers have multiple options and few constraints when it comes to compromising and leveraging that device. This poses a major challenge for the security community.
“The widespread availability of password managers has been a huge win for security"
If we were to examine issues from the inside, security teams continue to be outnumbered and it’s tough to find practitioners who are also builders and software engineers. When you look at all disciplines within the security industry, there are just simply not enough people and too few of them come from diverse backgrounds and experiences. This results in having limited understanding and protection of human experience. For example, how do we think about the credentials that women in patriarchal societies are required to provide and how their privacy is protected?
It is unrealistic to think that people without lived experiences can understand all the different cultures. It’s important that we have people who have experienced the security and privacy considerations that come with these types of security issues. Without true diversity, we will always struggle to understand how to address and mitigate them.
IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?
FL: This ladders back to my security philosophies, specifically the idea of making security loveable and enabling humans to have great experiences. One of the biggest successes has been the adoption of two-factor authentication, which has become much more user-friendly and secure over the years. There are now multiple options available to individuals and organizations that are not a pain to use, and that makes good security much more approachable.
In a similar vein, the widespread availability of password managers has been a huge win for security. These tools have made it easier for people to remember and choose strong passwords. While it might be a simple change, these developments encourage people to improve their own security by making it easier to do so, and that is what security should be about.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
Pick up the keyboard! I see too many CISOs that don’t practice security day-to-day. If you are going to do this job, then you need to get into the weeds and have hands-on experience. Otherwise, it is difficult to have empathy for your team and to effectively communicate what needs to be done and why.
Header image credit: Sergei Elagin / Shutterstock.com
