The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

8. Fredrick Lee, CSO of Gusto: Why is authentic diversity essential for epic security teams?

Hello, everyone, and welcome to the Security Podcast of Silicon Valley. Today, we have a very special guest with us, Frederick Lee, or Flea, as he sometimes prefers to be referred to, is the Chief Security Officer at Gusto. Before being the Chief Security Officer at Gusto, he was the Head of Information Security at Square, the Director of Security at NetSuite over Oracle, the Lead Security Engineer at Twilio, and you were at Betfair as a Security Manager, so starting to develop your leadership style there, I imagine. Fortify Software, it looks like you were a Security Researcher.

Ooh, that sounds fun. Did some bug team. A VP at Bank of America. Awesome.

And before that, a Java Developer at Transcore and a Senior Systems Developer at Intellis. Wow. Yeah, that's going way back. You can see the entire history of Flea throughout the various different dot-com crashes and where it ended up.

So it's always good and always interesting here. No, it sounds like you've always taken full advantage of your opportunities and have become this great leader here in the security world. I remember seeing you at B-Sides, and we bumped into each other also at RSA, and just always coming away with a really warm and fuzzy feeling on the inside about the way that you spoke about security and team building. And I don't even remember what the topics were that we were discussing, but it always had resonated with the values that I bring to the table as well.

So let's go back even further, maybe all the way back to childhood. Was there a moment in childhood that really helped define who you are or see the world? And clearly, you became interested in security at some point. Yeah, that actually did go back to childhood.

I just didn't call it childhood per se. And, you know, obviously, for people who have been listening to audio only, you can't see. I am old. I am unapologetically Gen X.

I love being Gen X. Getting older is a gift, and I love it. And so, like, I got into computers in general super young, and it was partially just because my parents, they put a high emphasis on exploration, building, and education. And anything that they could do to actually help us as children, you know, like, learn more about the world, explore different hobbies and things like that, they were always super supportive of it.

Having said that, though, you know, I did grow up in Mississippi, which in general is just an impoverished area. We didn't grow up with money, and so my parents always would try to figure out ways, different ways to actually expose us in a way that was economically feasible, but always supportive of us. And so for me, a lot of my exposure to computers actually came through various different schools, occasionally some neighbors, and obviously the library system in Mississippi, which actually it is fairly decent. You know, obviously, it could be better, but for me, it was a great resource and a great outlet.

What got me into security, one of the things that my dad was really adamant about was us just constantly learning and constantly reading. During the summer, for example, you know, I grew up in a, in Mississippi would be considered a small family. So I have three siblings, so there's actually four kids in Mississippi. That's actually a small family.

And yeah, and things like that. During the summer and things like that, yeah, you have four kids. What are you going to do with them? So like, you know, literally at least once a week, my mom took us to the library and we were required to pick out a book and read it.

And then we'd do the same thing the next week, et cetera. And one of the other things my dad liked to do to supplement that, so he took us to bookstores. Even though, you know, we couldn't necessarily actually afford to buy things, like, hey, pick up a book at the stores and you can actually just hang out there and actually read. So for me, as I was actually kind of dabbling in computers and a lot of the things that people were like familiar with, especially people maybe in the older generation, you pick up like a magazine, maybe something like, even something like my computer shopper.

And oftentimes there would be articles about things that people were doing with computers and be like, hey, you know, these little sample programs. And there you go. Here's something in basic. You can actually go back and type into your Tandy or your Commodore 64 or whatever.

And eventually I stumbled across this magazine called 2600. 2600. I'm a lifetime subscriber. I love this magazine.

Oh, it is spectacular. And so as I was reading this, I was like, oh, this seems really interesting. This is really cool because a lot of stuff that people work on effectively were just puzzles and just puzzle solving. And it really did resonate with me, this idea of exploration.

One of the things that especially caught my attention, though, especially, you know, later in life, was I came across these writings from a hacker. You know, his name is John Lee, John Threat. He was one of the primary members involved in the quote unquote hacker wars of the late 80s, early 90s. And it just it just triggered a light bulb in my head for several reasons.

One, I actually thought what he was doing was really cool. Two, and more impactful, I guess, to me, especially younger, was he was the first hacker and first. Person, like real person using computers that looked like me. So for the people who are just audio only, yeah, it's not a special effect if you see the video.

I actually am black. I love being black. My plan is to continue doing that until I die. It's phenomenal.

That sounds like a fabulous plan. So far, so far, it's been working out pretty well for me. But to actually see, you know, John Lee, it's like, wait a second, this guy looks like me. And I actually didn't know his last name at the time.

But yes, like, oh, that's the first black, like real black computer scientist that I've seen. And obviously, he's also a black hacker. And he just had like a wealth of knowledge and just his approach towards life. What I quantify as aggressive exploration.

And, you know, like aggressive exploration and aggressive education. I love how you phrase that, aggressive exploration. It's so positive. I love it.

Well, and it's because, like, you think about John, even you, like, you probably got into security because you're really excited about learning new things and having challenges and things like that. And that's kind of like how I got into security. And fortunately, fortunately, like laws were a little bit different and people didn't really understand the internet as much back then. So my aggressive exploration during like, you know, my teen years, my early teen years, was something I was actually allowed to continue doing.

And actually, I learned a lot. I was fortunate enough to go to a residential high school, the school called Mississippi School for Math and Science. And there we, you know, had a wealth of access to computing infrastructure. Everything from just the classic Spark stations.

Yes, I'm that old. I used to, you know, play on a. . .

So for the younger, late younger listeners, what is a Spark station? Oh, yeah, yeah, yeah. So a Spark station, it was like one of the primary like Unix type workstations provided by Sun Microsystems. The people who quote unquote used to say that they put the dot in the dot com.

And this is the early infrastructure, early Silicon Valley, some of like the earlier stuff actually going on with networking technology, just high performance computing, et cetera. And this was like super, super old days. And I was super excited. One, because I've been reading about the RISC platforms and things like that.

And actually, if you worked on a Spark system, it's like, hey, okay, now I understand a little bit about what it is that you use the RISC architecture as opposed to some of the, you know, things that you're doing on the PC side. But my high school, we had a lot of facilities there. And fortunately or unfortunately, the teaching staff wasn't as familiar with computers. So a lot of the administration of computers essentially fell upon the students.

And to some extent, I became a de facto sysadmin for the school. And it was like, well, we're actually all just learning. Everybody was learning. Everybody was learning.

Yeah. Yeah. So I definitely had my missteps, got into a little bit of trouble, but eventually with enough in dorm suspension and confinement and things like that, I eventually got the message. Like, hey, you know, these computers aren't just to play around with, aren't just to wreak havoc with.

There's actually other things you can actually do. And I had some really great teachers, in particular, Jack Carter in Mississippi, who really actually helped put me on a better, more legal path for some of the things that I was actually doing and actually corrected me to have a better, fulfilling career than future. So it's not, I am grateful that I'm not in jail, but that probably was the trajectory I was on. But I was also grateful for the freedom and some of the support, not only that my teacher provided me and not only that my parent provided me, but the security community that provided me.

I think a lot of people just aren't aware of how powerful IRC and Usenet were at the time and still are. And one of the things I love about the security community, and obviously we're not perfect at all. Oh, no, far from perfect. Far from perfect.

We tend to actually work on it. But especially in those early days of the internet, it was all about sharing. Hey, what did you learn? What can you tell me?

What can you tell me about this kind of operating system? What can you tell me about this university's computing system? What can you tell me about why you built something that you did? What can you tell me about obfuscating things that you've been working on?

What can you tell me about like cracking software? All those other kind of things that maybe some of the targets weren't as positive. The lessons that you learned were truly positive. And the lesson of sharing information and that we're better when we collaborate was something that I'll always take with me.

That sounds like a truth that most people miss that you really latched on to nice and early. That collaboration and connecting with others and sharing our experiences is how teams become stronger than the sum of their individual parts, right? 100% agree. 100% agree.

And one of the great things about being here in Silicon Valley is that we still see some of that. And in particular, especially in the open source world. So like for me, being a hacker or curious computer user and the open source world just go hand in hand because it's all about, we're just here for the purity of the puzzle. I want to see what else I can actually do with this machine.

I want to see what else I can actually do with humanity. I want to see what else we can actually do by taking somebody else's knowledge and just doing a slight riff on top of that. When I think about how we progress. In technology and in particular security, it feels a lot like almost like freeform jazz.

It's like, oh, hey, there's some people who have actually just laid down a melody, and hey, can you riff on top of that? Okay, well, now this actually has turned into something else itself. And now there's somebody else who's going to riff on top of that. It's one of the things I actually I love about security.

Also, full disclosure, I'm really passionate about music. It's like for me, security and jazz, punk, and hip hop go hand in hand because it's all about do it yourself. It's all about exploring further beyond the boundaries that people have actually told us existed before and reusing things that we've already had in society, right? You think about like, hey, you know, I learned this thing in C, and now all of a sudden, I now know how I can create buffer overflows.

I can do some of these various different things. I can, you know, all these various things. And it's things that we actually just learn from each other. So that's one of the reasons why I'm almost always excited about security.

No, that's, I love the analogy over to the music side of the house because there is some, there's an art underneath all of this stuff. And it gets to the collaboration as well. And when you find that riff and that groove, you can build something really cool very quickly and you can surprise everyone in the room that happens to be there and share the experience, which is spectacular. So as a, as the CSO, so what is it like just a day in the life of?

The day in the life of a CSO, Gusto and just the day in the life of a CSO in general. When you think about a CSO in general, one, I actually think there's actually a lot of misconceptions, but in some of those misconceptions are really like, hey, what is the nature of the role? What do you do on a day-to-day basis? And then even more so, what makes you qualified to be a CSO?

One of the things that I have found, especially in what I call this new generation of CSOs, is oftentimes now, a lot of times people are CSOs, not necessarily voluntarily. It's like, hey, we needed one and you were here and you weren't smart enough to say no, right? And that's actually slightly just tongue in cheek. One of the discoveries out of security is most of inside of security are deeply technical and deeply passionate about being technical.

But an interesting thing about being a CSO, and this actually goes back to this idea of collaboration, is part of your role as a CSO is getting these various band members together and making their individual performances into a song or into a activity. And something that's actually is bigger than the individual parts. It's things that if you're shipping or building or how you actually provide it for your customers are more secure today than they were two days ago. And keeping that momentum going and even more so, so that more and more people inside of the company are actually doing the work of security.

Because that's fundamentally how companies win. They don't win by having one great security team or one great security person. They win by getting the entire company to embrace security and the philosophies around it and to be proactive towards actually, you know, making better secure outcomes. One of the other things that I think the CSOs have to master is this idea of just communications in general.

Some people, especially if those people probably aren't from like that Louisiana, Mississippi, Cajun area, they will definitely hear parts of my accent slip out. But like one of the things that's fundamental is our ability to be effective communicators and to explain risk to the entire organization. So that's actually one of the things that, you know, is important for a CSO, managing that ability to communicate and talk about risk and talk about risk in a way that is right-sized for the business. I don't believe that we should eliminate risk.

Risk is where opportunity is, right? Hey, if you're investing in the stock market, you're taking a bet. And the idea is like, hey, you want that risk because that risk is going to allow for an oversized outcome. We wouldn't have the internet as it is today if people weren't taking risk.

Like think about this, back in the like, you know, late 90s when eBay came out and everybody was buying beanie babies, et cetera, on eBay. Oh, I remember those. Yeah. Well, just think about how crazy it would have been, like how crazy it was, the idea that you're going to put your credit card information or payment information onto the internet and somehow another stranger is going to get paid and you're going to be able to actually keep the rest of your money, right?

Nobody's going to steal your money. That's just a. . .

dumb, crazy idea. It was insane at the time. Insane at the time. You want to put your credit card information in a computer, it's going to whisk away to some other computer and they're not going to steal it?

Yeah, and you don't even get to see the other person on the other end. You have no idea who that person is even involved in this. But because we leveraged this math and encrypting things like that, we had SSL, otherwise known as TLS now, to make that more secure. And now we have this entire booming industry, right?

You know, when I think about some of the stuff that we did at Square, and I'm still super proud of what Square has built and what Square is continuing to build, a lot of that was like, hey, the dumbest idea ever. Hey, you want to give your credit card over to some random person and have them plug some numbers in in their phone? Oh, that sounds super crazy and stupid. But by taking that risk, Square built a multi-billion dollar company.

eBay and PayPal built multi-billion dollar companies. By us here at Gusto saying like, hey, we're going to help you with your payroll and we're going to take some of this sensitive PII and we're going to make that PII useful to you to give you benefits, get you paid, et cetera. That sounds crazy. And it was crazy at the time.

But because of taking that risk, you know, now we have this approximately $9. 5 billion company that's flourishing. And that's part of the job of the CISO is to actually help facilitate risk taking, right? So one, you actually want to be able to correctly articulate risk and be able to actually communicate well to people inside of the company what risk means, what risk do we have.

And then you want to actually figure out ways you can actually help facilitate safe risk taking. And it's kind of like this idea that I talk about, and actually I learned it from Sam Quigley, this notion of pragmatic risk taking. Like, hey, we're there to actually be business enablers and not people who actually say no. So that's what I think of when I think of like the day-to-day.

The day-to-day facilitate that top-end growth, build the business, build something great, build a better future while taking calculated risks that are well understood and within reason. Yeah. And then, you know, and the other part is then helping the company build resiliency in case those risks don't pay off. I'm more interested in being able to fail quickly and recover quickly and safely than I am in saying like, oh, I'm just going to eliminate all vulnerabilities.

There's never going to be anything that actually comes across the board, et cetera. So I think it's more interesting to actually be able to solve that problem because that helps the business keep moving at speed while still protecting testers. No, that's spectacular. So could you put your finger on maybe a single best day that you've had at Gusto so far?

No, this is actually a great question. I've had so many great days at Gusto. I would say probably one of the single best days for me at Gusto, oh, that's such a good question. There's so many of them.

If you wouldn't mind, I want to talk about more than one. Oh, sure. Let's do it. Yeah.

I love good days. Yeah, yeah. So one of my best days at Gusto was during the summer of, actually, literally just last summer, the summer of 2020, during, you know, like some of the uprising around the George Floyd and the Black Lives Matter protests and things like that. And the reason why one of those days is actually really important to me, and it was like one of my best days, I was personally impacted, not in a, hey, I was there and I was beaten up or something like that by malicious cops.

I was deeply impacted, one, just as a Black person, and as a Black person who, I would argue to say I'm been successful, but here in San Francisco, I live in San Francisco, I regularly get stopped by the police. Like I regularly, you know, have to explain, like, no, this actually is my car. I actually do live here. This actually is where I get over here, et cetera.

Like having a company like Gusto, something that occurred, Gusto, we just, we essentially said like, hey, you know what, everybody, we're going to just stop what we're doing right now. And we're going to do a couple of things. Like one, we're going to talk about this for the entire company. So we just had an all hands for the entire company saying like, hey, this is what's going on in our community.

So at Gusto, we truly believe that we are there for the community. We're part of all these ecosystems. And we want to make sure that we can always show up for anybody in our community to actually help them. And that includes our internal employees.

And so we paid, let's talk about this. How are you feeling about this as an employee of Gusto and actually just a member of American society? And not only do we actually talk about it, we said, but what can we do? What can we do to actually put things in action?

What can we do to actually show up better and offer more support? And so, you know, we spent a lot of time just to talk to me just on that day and then to follow on actions afterwards. Like, hey, we're not just here to get money from the ecosystem. We're here to build a better society and a better future.

So what are things that we can do to actually stand up and really be present for our internal employees, but also for everybody else outside in the ecosystem? And for me, the bell that actually deeply important, that resonated with me deeply because first of all, that's actually the first time I've been at a company that was willing to do that. I've been at other companies that talk about diversity, that talk about these things. The litmus test.

Yeah, the litmus test is one of the easiest things to do. It's nice to hear it, but then it's like, then what happens, you know? Yeah. And so we definitely put some action there.

The other, probably best day for me was one. I discovered an internal issue, and I won't go into the details because I don't want my lawyers to beat me up later. There's like an internal issue that I just wasn't excited about. And it was actually just one of the ways that our engineering team was operating.

And I was like, hey, you know what? We can do better than this. And I thought that we actually owed it to our customers. This wasn't like a security defect or something like that, or it wasn't like, oh, no, the company's been compromised.

But it was an area that I felt like we could make some significant improvement. And one of the things that I'm just super proud about is that all the engineers got on board. They were like, hey, Flea, hey, security team, we hear you. You explained this problem to us, and now we're going to act.

And so this problem, and this is actually a problem that previously the engineers just thought couldn't be solved. And they're like, hey, this seems really scary, and this is just how all of engineering teams operate. But they were open to hearing the message from myself and other security practitioners inside of Gusto and just immediately, no argument. They just went right into action.

And this is actually was like, and there's probably tons of listeners who have actually come across some similar things inside of their company that they weren't able to change. But this actually was a great day for me because it's like, one, it actually was kind of like proving out that the culture that we wanted at Gusto was actually working and that engineers themselves were like, oh, wow, yes, we totally got to do this. And they were probably more aggressive about getting it fixed and getting it fixed quicker than even I was because they really internalized the message and the importance of protecting the people that use Gusto's platform.

One of the things I always talk about, and we talk about this inside of Gusto, is that we are not data owners. We don't own any data at Gusto. In fact, we own very little data. What we are, are data custodians.

And that data really is just a proxy for a human. And people at Gusto really understand that those zeros and ones that were moving are just like representations of an actual human and a human life who actually depends upon us to be doing a good job being protective, being good custodians and good shepherds of that data and making sure that nobody has a negative surprise from Gusto. And I don't want anybody to ever think that, hey, Gusto did something with my data and that we would ever be embarrassed to talk about it, right? Like I want us to always be proud and transparent about how we actually utilize some of this data.

I feel like there's always some kind of great day that I'm having at Gusto every day. I love those words. You want to be proud and transparent with everything that happens. No, that's really spectacular.

And George Floyd. I remember when George Floyd happened and my heart went out to everyone in Minneapolis and everyone that was impacted in the society in general. I was like, oh, the 2020s are going to be just like the 1960s again. And I actually grew up in Minneapolis.

And so when that was on the news, I was like, hey, I used to hang out right there. I went to school there, University of Minnesota. And I've always been irrationally excited about all things security. So in high school, I volunteered with the local police department.

So here I was like doing ride alongs with these police officers and you would hear the stories. And I knew immediately, oh, this is ripe for change. Like something needs to change. Like we need to fix some of these underlying misconceptions.

Racism. It was rampant. And homophobia, transphobia, sexism. It's all of it.

I got up close and personal just because my passion drove me into exploring law enforcement, doing ride alongs, and then later to see all of that unfold on the news. It was unexpected. And I was disappointed that over the 20 years, it didn't change that much. Yeah, it's an interesting thing because change has to, change requires catalyst and it requires resiliency to say like, hey, you know what?

Yeah. And this is like, I think it's really relevant because you think about when you join a company and especially if you're that first security engineer, that first CISO or whatever, you're going to be making a lot of small progress. But that small progress over a duration is what fundamentally actually changes the company. And it's a funny thing to always say that security people as grumpy as we could appear, probably some of the biggest optimists in the world because they know what a better future could look like.

They know what a better future could look like. We all conjure that up in our heads and imagine like what that is going to look like and then build little roads and struts to help bring us towards there, right? Yeah. Yeah.

And I love the fact that you used to do ride alongs with the police because I mostly viewed most security people as being in that D&D good category. You might be a little bit more like lawful good. My preference was chaotic good. I'm more of a anything goes.

Oh, I definitely had a chaos side as well. In fact, during high school, while I was volunteering with that group of police explorers and doing the ride alongs, I came out as gay. So that was quite the experience. And I was like, okay, there's a choice here.

The choice is like I could lead a double life and keep everything separate. And it didn't resonate with anything that I wanted to do or how I wanted to lead my life. And so, okay, merge everything together. And I remember coming out with all of those police.

I was expecting there to be trouble, to be tension, to be issues. And surprisingly, I was just blown away by everyone's support, which was unexpected. In a conservative high school, in a conservative community, I was expecting to lose friends, but it never happened. And it does really get better.

Yeah, I love that story. And one of the things that I think, one of the things that I love about your story is the fact that, one, you were actually willing at a high school to actually come out. And I think we probably actually have a pretty significant age difference, but I know that some of the struggles for some of my peers and things like that, especially in high school, because we actually lived at the high school. And even more so, Mississippi is not the most tolerant state.

But one of the things I think some of my peers had found, and it sounds like you found this as well, is that individuals can be really tolerant. And we, at least one of the things I always try to keep in mind for me as a minority is I can't paint a broad brush against the police in general, because I actually know some phenomenal law enforcement agents. I also know some horrible people that should never have this job at all. And there's definitely work that can be done there.

But I do think that there are things that we also have to keep an open mind, but at the same time, protect our peace. And what I mean by this, I would never ask a trans person here in San Francisco to go up and hug a cop and say, oh, you just have to love the cops. Because no, it's been a lot of trauma and a lot of history. And some of the signs of the burden shouldn't be placed upon the aggrieved party to close this.

But it is useful to know that, hey, you know what? The entire world isn't like this. And you can be in different places. You can have different experiences, et cetera.

As we go through our interactions and we bump into people that are different from us and very different from us, and we bring our full selves to the table, I think that's those are the little granular components that actually lead to change, that lead to more open-mindedness. This is actually one of my passions. I want more security people to bring their full selves. One of the things I actually like about our security community, and what is it, like our security community can definitely be toxic.

And I wrestle with that myself. Like how much of this is actually good? How much is bad? Because there are some significant portions of our culture that just need to be erased.

And some of the rampant, pure, just straight-up sexism just needs to go away. The gatekeeping just needs to go away. The homophobia just needs to go away. The transphobia, the racism, et cetera.

Bigotry has no place in security. And I feel passionate about this because way back in the day, back in my day, kids, one, most of us never even saw each other. We didn't know. And so security used to almost be a refuge for the nerdy outcast.

The outcast, yeah, exactly. Yeah. And you could, I used to always joke that if you got into security, there was probably something wrong with you. Like there's something not quite right.

One of my professors, he took me aside and he was like, oh, I understand now why you're interested in security. It changes your relationship to power. And I was like, I hadn't thought of it like that. And I was taken aback.

I was like, well, maybe. Well, no, I've been transparent. Like part of the reason I was so interested in being, quote unquote, in security or hacker, whatever you call it, is I recognized that me as a young black kid in Mississippi, just the asymmetry of the power relationship was just horrible. But computers were a great equalizer.

And like, hey, you know what? I don't really care about X, Y, and Z. And if I have a racist teacher, I could just change my grades now. If X, Y, and Z is happening in the community, I can, you know, manipulate somebody's information.

So now that somebody is no longer getting billed for their electric income and those kind of things. These are all things that security actually provides for us. And I think that we are able to take advantage of some of that in our community. And I think especially when I think about now in modern security, we have real jobs.

Like, first of all, back in the day, getting a security job generally made you working for the feds. And because of my background, that was never going to happen. I could never work for the feds. But now we have these real security jobs and you have a legal outlet.

And the problems that we have, and this is actually interesting, and hopefully this resonates with some of your listeners. The problem that we have now in security is getting more diversity. And I think one of the reasons why diversity is so important in security isn't because, quote unquote, it's the right thing to do. It's actually great.

We should be doing it because it's the right thing to do. But even more so, technically, it's the correct thing to do. Part of our jobs in security is thinking about all of the bad things that can happen and how do we actually mitigate those. So we all have these lived experiences that feed into our personal threat models and how we actually view the world.

For example, I have several queer relatives. And being queer in the South is a scary thing. So the way that they approach navigating society and the things they actually have to, that they want to disclose, that they don't want to disclose. This flows informs how they operate, and that's an input that's useful for a security team.

You can envision like, hey, maybe you actually, I'll use some of the public companies. You think about a product like Venmo, whereas if you use Venmo here in San Francisco, it's like, hey, you know what? I was at Martuni's, or I was, I paid a bill at Martuni's, or I was, actually, I don't think the Eagle ever accepted credit cards. Oh, hey, I was at the Eagle, and somebody saw me, or maybe I had a video of me, or I paid somebody.

That is innocuous here in San Francisco. Yeah, no one thinks twice about it. But if you're like rural Alabama, and all of a sudden, everybody sees that, hey, you're going to a gay bar or something like that, that can have very real physical consequences for somebody. And if your security team doesn't have that diversity, you might literally miss that aspect.

One of the things I think we see. . . Or even if you have the diversity, but people are not bringing their full selves to the table.

Yes, yes, even more so. And I think it's exactly, yeah, so just having diversity isn't enough. Making it psychologically safe for somebody to actually be who they are is also important. Think about some of the things, another example, like I am six foot one, six foot one, about 250 pounds.

I'm a black guy in San Francisco. Most people cross the street when they see me. I'm not scary. I don't think I'm scary.

No, I don't think you're scary at all, no. But my threat profile walking like in the Tenderloin late at night or something like that is completely different than one of my friends, Colleen. She's the head of security at Segment and Twilio. She's a much smaller woman.

I think she might be 5'1", 5'2". And her threat profile is completely different. And I remember I was having a meetup with her, and I was like, hey, Colleen, let's go. We're going to go to this meetup.

And she was like, oh, hey, how are you getting there? I'm like, I'm just going to walk. And she was like, oh, I'm going to take an Uber. And I was like, why?

I have to walk through this neighborhood to get there, Flea. It's like walking through the same neighborhood as Flea. You look like this. I look like this.

And I've been accosted. I've, you know, she's had these experiences with people being hostile, et cetera. And that's just a completely different thing. And that definitely impacts how you want to think about security.

When I think about it from a product standpoint, you know, here in California, in particular Silicon Valley, it's not a perfect community, but we are more accepting and we have a little bit more autonomy for things like women's rights and those kind of things. When you think about some areas like in sub-Saharan Africa and these places where there's a lot more patriarchal society where maybe a young woman who lives there doesn't actually fully balloon her account. And so if you're showing and demonstrating things like, oh, hey, who's this random guy that reached out to you on LinkedIn? And that actually appears in somebody else.

Somebody was like, this is against our culture. Why do I want to get out of it? Like, why is this woman doing that? And they could actually have negative consequences for her.

Having people with that background that could actually pull it out for those cultural differences and say, hey, the thing that you're building sounds great, but here are some of the ways that this might impact somebody in my community or a community that I'm familiar with. And this actually goes back to the Venmo thing, even like Square Cash, et cetera. There's a lady at GitHub, Danielle Leong. She's a director of engineering there.

And one of her passions has actually been calling out things around essentially just privacy issues inside of products. And one of them is like, hey, are you setting up some of these products to make it easy for an abuser to still reach out and contact somebody? So, for example, like, hey, if you're in an abusive ex or just an abusive person in general, spending a dollar to send somebody something via Venmo or PayPal, et cetera, just so you can actually add a message saying, hey, go kill yourself or you're a horrible person. For some malicious people, that's worth it.

But the other thing that we can do as a security industry to improve those scenarios, and that's part of the, actually, that's like for me, that's one of the bulk of the reasons why security teams, in order to be successful, must be diverse. And it actually has been a passion area for me. Like, obviously, I want to make it easier for me to be in the industry, but I also want to make it much easier for people that look like me or not like me or fundamentally just different to still have successful long-term careers inside of security. Like, at the end of the day, it should be all about, can you be a good security practitioner?

It shouldn't matter who you date, who you marry, what kind of, if you have kids, what your skin color is, what your gender is, what your sexuality is, et cetera. It should really be about the output that we generate and our ability to help create more safe outcomes. That's spectacular. All of that resonates really well with me and all of my experiences too.

I've done a bit of team building myself here in the Valley, and I've noticed that how you set up diversity and our differences and our different experiences has the strengths of the team. You facilitate a camaraderie that you would otherwise miss, right? And it leads to better products. It leads to thinking outside the box.

It leads to more innovation. It leads to people feeling like they're contributing to something bigger than themselves and really bringing their full self to the table and really contributing. Everyone. Yeah.

And so given that diversity is this important, Aspects to building, you know, teams in general, security teams in particular, because we have to be the outside-the-box thinkers. 100%. When you interview someone for a senior security role, how do you flush that out? What's the signal that you look for?

How do you, is there a strong yes signal that you hit it when you smell it? How do you build these sorts of teams? One of the things that I look for, especially when I'm thinking about like senior leaders within security, is how do they think about what a good security hire looks like? And not like literally just physical, but like qualifications and things like that.

My degree is in electrical computer engineering, right? I don't have a degree in security. I have zero certifications, et cetera. I do joke around, but I am certifiable, but I'm not certified.

And, you know, the thing that I look for is people who recognize what are the actual core fundamental attributes and aptitude that an individual needs to present in order to actually show that they can be effective inside of security. So like when I hear a manager or a leader or even just a senior security person saying like, hey, well, this person needs to know all these tools, or, oh, this person needs to have these certifications, or they need to come from this school, or they have to have worked at this company. That's kind of nails on a chalkboard, isn't it? Yeah, yeah, I know.

I visibly see the rejection on your face. And for me, it's like, oh, no, that's horrible. When I see somebody that's like, oh, hey, you know what? I want to see if somebody can, you know, can they actually walk me through something that looks like a threat model, even if they actually don't know these words to me.

Do they have some of these natural aptitudes of curiosity, thinking creatively, et cetera? You know, when I hear people saying, okay, I look for somebody who's like really strong at translation and really strong at communication, that makes my eyes light up. When they're saying, okay, I'm interested in somebody who has passions outside of security, because once I, like if somebody is open to a person having passions outside of security, that makes me realize, oh, they're actually just open to all walks of life. Like I love the fact that your background is your super shiny and it's been through Ducati.

That's an old Ducati. I don't have it anymore, but it was a very fun bike. But it convinces me like, oh, you are like a full person and you're not just pigeonholed into this one identity and that you're capable of actually seeing that, hey, there's actually value in other things besides just security. And that goes a long way.

And this isn't to, and I think oftentimes people think, oh, hey, diversity or having issues with diversity is just like a white male problem. That is not true at all. That goes across the gamut. Everybody can have some kind of bias.

And so when I really do try to actually tease out what those potentially are and how could they actually work to, you know, broaden their horizons that you get rid of some of those biases. Like it, I could totally be biased of the black males and say, hey, I don't want to work with women or something like that. That's a tough thing. I'm from the South.

I can say like, oh, hey, in Southern culture, we're very homophobic. So I don't want to work with anybody that's, you know, LGBTQ, et cetera. It's like all these other kinds of things. So it's not just a area that we have to press upon, like, hey, we have to make sure that white males that we're hiring are qualified.

We have to do that across the board because bias isn't exclusive to one demographic. It's all very capable of that. And if you live here in the Bay Area, you definitely know that this is not like every demographic in the Bay Area probably has some issues with bias against other demographics in the Bay Area that we have to challenge. And I can go on on that soapbox forever about my issues with the Bay Area air quotes, wokeness.

We are diverse, but we're not integrated here in the Bay Area. So there's still a lot of work we have to do here as well. It's true. It's true.

The future is not here yet. It's something that we are always chasing. We're always building towards something better. But that's what I learned about security people.

We're these angry optimists. We're like, no, this could be better. An angry optimist. Yes.

That's a wonderful description. So I know sometimes security can be very stressful and highly visible, especially when the shit starts hitting the fan. I think like what just happened with T-Mobile. My heart goes out for all of those security engineers.

Maybe, of course, Gusto, there's nothing like that. But if you had any words of advice for folks that find themselves in a little bit of a pickle that are in the security space that are helping their organization navigate a difficult situation or maybe a ransomware attack or a data breach of some kind, what advice would you have for them? Yeah. And I think, you know, one of the things that kind of hit the head up, hit the, or at least allude towards is this thing that I call security savior syndrome, where oftentimes security people, security teams think that they have to carry the burden of all bad outcomes on their shoulders and prevent all bad outcomes at a company.

That will quickly burn you out. And it's actually part of the reason why we have so much burnout in our industry. So first of all, I think one is that anybody in the security industry has to learn to give themselves forgiveness. We cannot prevent every single bad outcome.

And if you. . . Self-forgiveness is such an important quality to bring with us wherever we go.

Oh, yeah. And it's like one of the recommendations I have for people in security, everybody in security should at least think about, consider getting therapy. It's just a useful thing just in general, but it'll make you better. Practice mindfulness.

And I know it sounds like a little bit, you know, hippie, new agey, or whatever. No, no, not at all. I practice mindfulness. Yeah.

Do my 10 minutes of meditation. Yeah. Like, it might sound weird coming from this like southern redneck, but those things are actually really important for like that long-term sanity for us in the community. The other thing is, make sure that you're working on internal relationships with your company.

So you have support. You're not supposed to be in this alone when you're actually going through some of these difficult security issues. The other thing that I recommend, and this isn't possible for everybody, so I do want to caveat that, is try to shift your company's culture so that business owners own the risk and the outcome from their decisions as opposed to security. And the reason why I mention that is that then you can actually really start reframing how you're thinking about some of these problems, like the issue going on with T-Mobile.

Obviously, there's another thing going on with AT&T today as we're recording this. So that you, as a security practitioner, aren't on the hook for fixing somebody else's mistakes, right? And so you can actually start approaching this more from a helping angle as opposed to a CYA angle and some of those other things. This is actually really nuanced because it also depends on your company's culture about how you can approach that.

The other thing that I recommend is security people, I would recommend security people to try to take a vacation at least once a quarter. Like, ideally, you should be taking like one week a quarter just to actually recharge yourself. This is, security is a marathon. This is not a sprint type of industry.

You get into security because you're working on a lot of like small changes, a lot of things that over duration add up to better outcomes. But that doesn't mean you're going to prevent all negative outcomes. And so you have to be open to the fact that, hey, some bad things are going to happen. In the moment of a crisis, one of the important things for us as security practitioners to be able to do, and this actually will help your own stress, is to at least display the demeanor of calmness.

Other people, especially when there's a crisis, they look towards security as almost being like mom and dad, right? And so whatever reaction we have, that just gets amplified. Yes. And so if you have a security incident and you're saying, okay, this is going to destroy the company, the CEO is totally going to help you and they're going to believe it and they're going to be really stressed out.

And that stress is then going to circle back to you. And that stress then is going to actually trickle out to your team or your peers, etc. We just think is that, yes, exactly. This negative feedback loop is going to continue to amplify itself.

And ultimately, that stress ends up being embodied into the security practitioners, which just ultimately isn't helpful. The other thing I would say is, especially when you're in a stressful situation in security, be mindful of your physical health and be mindful of substance abuse. This is one of the things that I do think is actually somewhat negative in our culture. We do have a culture where we celebrate things like drinking and mind-altering substances and stuff like that.

I'm not judging anybody for any of those things. Of course. Addiction is a disease. Yeah.

Yeah. But it definitely can have a negative consequence towards the other stress that you're feeling. Like alcohol is not a solution for stress. It can often times make stress worse.

And that goes with like other substances that people may abuse. And like I said, I'm not against people using drugs. I am a believer in better living through chemistry, etc. But I do think that actually is responsible usage versus irresponsible usage.

And hopefully, you know, security in these trips will infiltrate. It can make it easy for us to fall into some of those traps. So those are some things I think about. It's like, hey, you know, one, you know, making sure that you're actually, you know, relieving and forgiving yourself for security incidents.

Practicing mindfulness if you can. And that's something you have to be open towards. Speaking to others. You don't necessarily have to have a therapist.

You can literally have your security peers be your therapy versus hanging out on IRC and complaining about something or, I guess, Slack and Discord for some of the younger people. And those are outlets for you. And try to also shift the culture of your company so that business owners are actually on the hook for the risk as opposed to security. Right.

Actually, that one in particular, your last one, shifting the risks onto the business owners. It's a great way to scale a security culture across an organization. Now it's not just one place that's responsible. It's everybody that's responsible, right?

And as your org grows, you may not, your security team may not grow at the same rate. So you will, relative to everyone else in the company, have less and less resources to work with a larger and larger set of folks. So. Yeah, your security team is never going to grow as fast as the rest of your org.

And that's just the reality. Isn't there a good reason? for that, right? Right.

Security should be like a highly leveraged discipline. Most security people are just highly intelligent. We can do a lot. We're really capable.

But does it mean that we should be superheroes and burn ourselves out? Right. But I know that a good security team can scale in a way that's better than a lot of engineering teams. And so you're never going to be the same size as engineering teams.

You're never going to be the same size as marketing teams. The interesting thing is that you are often going to be responsible for security of all the departments and helping everybody, which makes it even more of a weird ratio because, yeah, the security ratio for the entire company is really small compared to some of the others. But I think it's actually part of the fun of the challenge. I know that I've been talking a lot, John, so some quality before that.

No, no, apologies are necessary. Not at all. Yeah, it's wonderful. We are long-winded.

We ramble. We will just close it up by saying a huge thanks to Flea for joining for the show. It's been a really interesting discussion. I love your perspectives on diversity and security and team building and what matters.

A huge thanks for joining. Be sure to join us next time on the Security Podcast of Silicon Valley. Thanks, Flea.

‹ 9. Dylan Ayrey, Founder and CEO of Truffle Security, How Open-Source Makes the World More Secure

7. Michael Brooks, vCISO and Director of Cyber Risk Services at Trava ›