The CISO Speaks: Sean Catlett of Reddit on What It Means to Be a CISO During Unprecedented Times for Cybersecurity

Posted on by Tony Kontzer

As human beings, we find ourselves at a moment when leadership is more important than ever. The world has been disrupted in ways human beings never could have foreseen, and we are turning to our leaders to make tough decisions that not only increase our odds of getting through the current global crisis as unscathed as possible but also catapult us into a better future.

If you think about it, this is simply a larger-scale version of what CISOs have already been doing: steering us through crises in ways that bring better future outcomes. So what better time to tap into the leadership qualities that so many CISOs quietly bring to their organizations?

Along those lines, our ongoing series, The CISO Speaks interviews, affords us a perfect opportunity to find out how one cybersecurity leader is thinking about how best to navigate the fast-changing reality swirling around us. And I couldn't think of a more appropriate CISO for this moment than Sean Catlett of Reddit, which bills itself as "the front page of the Internet."

One thing that's different about this Q&A: Catlett provided such thick and relevant responses that we decided, rather than edit them down into a post of reasonable length, to break the interview into two parts. What follows is a lightly edited transcription of the first half of a recent email interview with Catlett. The second half will publish next week.

The recent RSA Conference centered on the theme of the Human Element. What does the human element mean to you?

To me, the human element represents a shift away from purely threat and technical challenges to domains that are vitally important to remember: privacy, identity and the adversaries themselves. Each has a human effect that is not just expressed in ones and zeros. 

Let’s look at privacy first. We have a value at Reddit to Remember the Human. When I think of information security and privacy in that human context, I don’t think about only the technical measures and network or application defenses. I think about what people want us to protect, and how we can keep private that which has been entrusted to us. Remembering the humanity in the systems we build is an important step in empathizing with the impact of data losses or breaches, versus viewing them as pure engineering challenges.

Identity is another human element that is too often lost in the miasma of "solutions." People want clear descriptions of their identity, tokens or credentials that are easy to use and manage for the information representations of them, and ultimate control and choice about the accuracy of their identity. 

Finally, I believe we have to continue to recognize the human element in cyberattacks. There is another person on the other side of the keyboard creating these attacks. They are your adversaries. If we don't focus on understanding their motivations and intent, it will be extremely challenging to stop them via purely technical means and signals.

Given the well-documented shortage of qualified cybersecurity job candidates, and the skills gap that has been created, what new tactics and strategies are you employing in order to find the people you need? How has this evolved in recent years?

I challenge the notion of a shortage of qualified cybersecurity candidates. I believe the industry has been too myopic in its views of what qualifies a candidate. Most of the leaders I speak to came to this industry from parallel backgrounds and skill sets. Biologists, mathematicians, physicists, economists, ancient historians—all were able to break in and succeed. 

In my own hiring, I look for attitude and aptitude. I try to identify the person's 80-percent skill—what will the other team members rely on them to do or know. With the other 20 percent, it's okay if they don’t know as long as they are willing to learn. By prioritizing attitude and aptitude, I’ve been richly rewarded by employing people with no previous information security experience, deep experience but no college degree, disabilities or any number of other personal challenges. I feel I can give them the same chances I had: the patience of the company to let me learn, and the time to demonstrate that I could create value for the organization as a whole and be a teammate to others regardless of my domain expertise at the time. As for making a concerted effort on diversity of all types, we’ve found that boot camps or other nontraditional recruiting avenues can be helpful. At Reddit, we have an active partnership with Hackbright Academy and have sourced engineering talent from its alumnae. We’re always looking for new recruiting avenues for cybersecurity talent as well. However, we as an industry can do better and I am currently absorbing everything I can from my peers and their strategies on this topic.

It's impossible to have a discussion on any topic today without considering the impact of COVID-19. Aside from the obvious impacts we've all been reading about, how is COVID-19 affecting the job of a CISO?

COVID-19 makes any job harder, the CISO being just one of them. We are all looking at new ways of working, and I hope as an industry we use this as a helpful thought exercise on the threat model of remote working and the perceived security tradeoffs. I’ve had the opportunity to work for many organizations that were either fully remote or modernizing to support remote work. Due to this, I’ve built Reddit’s security organization to be fully remote capable. This has been beneficial when helping the company take a remote approach. What I am trying to make sure of is that we don't lose the humanity of our workplace experience. We need to be thoughtful about operating as a fully remote-capable company, including onboarding and offboarding experiences, trainings, meetings and collaboration. 

Please return to the RSA Conference blog next week for Part 2 of our Q&A with Sean Catlett.

Tony Kontzer

, RSA Conference

C-Suite View Human Element

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community