Proud to Be: Fireside Chat
Presented by: Joe Sullivan, Frederick Lee
Originally aired on January 19, 2022 @ 4:30 PM - 5:00 PM EST
Joe Sullivan, Chief Security Officer at Cloudflare, will be hosting Fredrick Lee (Flee), Chief Security Officer at Gusto. This Afroflare/Security initiative delves into Flee’s background and experience rising to senior positions at several high profile tech companies.
English
Black History Month
Transcript (Beta)
Hey everyone, welcome to Cloudflare TV. My name is Joe Sullivan. I'm the host of this 30-minute episode and I have a guest here with me today.
He goes by the name of Flea.
Thank you for joining me. We're here this fine morning to talk a little bit about, well, Security Awareness Month, October Security Awareness Month, and all of us in security really care about that every month but we particularly, you know, this is our chance to shine in front of our organizations and get everybody on board with security.
But it's also Black History Month in the United Kingdom and Cloudflare as a company, we have a very large office and presence in London and so we take celebrating our cultural events around the world very seriously, especially with such a large presence in Europe and in London in particular.
And so I'm happy to have Flea here as a guest to talk with me about a little bit about his career journey.
He is head of security at Gusto, chief security officer as I am the chief security officer at Cloudflare.
So welcome to the show and glad to have you here.
Yeah, thanks so much, Joe. I'm actually excited to be here and this is actually just one of my favorite topics, security awareness in general, but also, you know, just talking about also, you know, just my journey and things like being a Black person in the cyber security world.
Awesome. Yeah, this could be a good conversation then.
How did you first get into security? Yeah, so as you can kind of tell maybe from the screen that I, this is not a special effect.
I am unapologetically Gen X.
I'm a little bit older. I actually got into security, I guess, the traditional way for people, you know, that were, you know, kids in the 80s and 90s, which was, I got into hacking.
I was one of those script kiddies. I was one of those people that you probably would have wanted to have prosecuted if I'd done enough damage.
So actually, I got into security, yeah, pretty early. And part of it actually just me actually reaching out, actually reading about things.
I was always interested in computers and things like that.
And I remember I came across, it was actually, I believe it was in 2600.
And I was actually just reading about, you know, what we actually just called in the 90s, the hacker wars.
And in particular, there's a gentleman, John Threat, aka corrupt, you know, aka John Lee, no relation.
And I was reading about him. And he was actually the very first black person that I'd actually seen that was actually working in computers and things like that.
You know, obviously, he was working on a different side than what I am now and what he's on in now as well.
But for me, that was actually really instrumental, because it was like, you know, it's kind of this whole concept, if you can see it, you can be it.
And obviously, I'd seen like, Oh, hey, here's some TV shows, it's Richard Pryor on like, you know, the Superman, you know, movie and things like that.
But this actually was a real person, and a real person interested in a lot of the same things that I was interested in.
And it really inspired and motivated me to go further down this avenue of what I like to call aggressive self study.
Right? Awesome. Did you? Did you kind of back up on the academic side?
Or did you just kind of, like, keep your academic side separate from your security interest for a while?
Yeah, so I, it was separate, you know, like, so for me, I went to, you know, what we call a residential high school, which is different than a boarding school, I was going to clarify, boarding schools for people that have money, residential high school, this in particular was a math and science school.
And, you know, where I was fortunate enough that literally in our dorm rooms, we had, you know, access to the Internet.
And this was super early, this is, you know, back in the day, before you even had Mosaic, that you would actually compile yourself and those kinds of things.
It was just like Gopher, FTP, IRC, etc.
And so for me, the security stuff is actually more like a hobby and things that you would do after class.
And but academically, you know, I was investing in things like, you know, just general engineering education, but also in particular, computer science.
So and I was fortunate that those things, that path kind of continued to take me out on a career that ultimately led to security.
But I didn't go to college for security, like, you know, back in, you know, in the 90s, you couldn't go to college for security, right.
So I went to college actually for electrical engineering, because I thought I was going to be building robotic vehicles, and electric vehicles in particular, but that security itch, and that that hobby of security just never left me.
Awesome. So you mentioned this one mentor, how did you connect with them?
Yeah, so initially, it's actually all online, and things like that.
And it's actually just recently that we've actually had like face to face interactions.
And I think, you know, it's funny, because when you think about, you know, our community and security, so much of our stuff is online, oftentimes, like you're working with developing relationships, learning from people and knowing people, purely virtually, which I think is part of the reason why, you know, the work from home, you know, I guess movement hasn't been as nearly as dramatic for security professionals, because we've spent a lot of our time, you know, interacting with people online, you think about like, you know, your DEF CON community, things like that, etc.
It's a lot of people that literally, we never see each other, and then we actually finally meet each other in person.
And it can be several years later. But you know, John Lee wasn't my only mentor, and only a, you know, sponsor, you're like, I've actually, you know, had other people as well.
You know, in particular, like somebody who, you know, I really look up to Dr.
Gary McGraw, who is, you know, like the, you know, chief scientist at Cigital, now Synopsys, he's, you know, really took me under his wing and really started to show me kind of like, you know, a different path towards security and how to actually think about security from an engineering lens.
And also, you know, Dr.
Brian Chess, one of the co founders of Fortify, the previous static analysis company, also, and in particular, they both love this idea of being builders inside of security, and not just being focused on the doom and gloom, and finding exploits, because at the end of the day, it's like, hey, one of the things I learned is like, hey, you know, any software can be broken, right?
And one of the more complicated things is to make the cost of breaking software, or, you know, violating security controls, you actually want to increase the cost of that.
Nick, you're really instrumental in helping me actually think through that and form my opinions about what security, at least in my opinion, what good security should look like.
I love that. We talk about on my team here at Cloudflare, a lot, this concept of we're a team of builders.
Yes. I think if you don't, if you just are a team that responds to incidents and points out flaws, you can easily become discouraged as opposed to optimistic, right?
Yep. Oh, yeah. Oh, yeah.
And maybe that's part of the reason why I, like, I am maybe a cheerful CISO, kind of like you.
It's like, oh, it's like, it's this whole idea. It's like, I kind of think in order to be in security, you have to be an optimist.
Like, the entire drive for us actually fighting and fixing vulnerabilities is this idea that we believe there could be a better world, right?
And one way to actually achieve that is like, oh, hey, pointing out to everybody all the and all the things that I fear are bad.
It's like, yep, yep. I know we have COVID going on. I know we have climate change going on, et cetera.
But something that's even more powerful, kind of, you alluded towards, Joe, is this idea of being part of the solution, not just finding problems, but actually solving those problems.
And being a builder, in my opinion, is one of the best ways to do it.
And because also the reality is that security teams are actually generally much smaller, right?
And so we have to be more leveraged than the other engineering teams.
And we have to think a lot more about, well, not only how to actually just solve this one instance of a problem, but how to actually eliminate kind of like a ecosystem of problems, or actually eliminate an entire class of vulnerabilities.
You know, this idea that also we can be enablers for the rest of the business.
If you think about a company like Cloudflare, right?
If you didn't have great security engineers, Cloudflare actually doesn't really have a business, right?
And so I think a lot of people have the mistake that they believe, like, oh, security is just a cost center.
But when security is done well, security is a dramatic business enabler.
But in order to be a business enabler, you have to be a builder.
And you have to view yourself as part of the solution and build your team and build your team's culture to also look at themselves as problem solvers, not just problem identifiers.
Oh, this is so spot on.
It's funny, early in my career, my first role as a CSO at Facebook, I worked with an exec coach.
And she did a survey of the other execs of the company.
And then she came back to me and said, Joe, the only time you ever talked to the other execs is when you're bringing the doom and gloom.
You know, you're telling them, you're telling them, oh, your team caused a problem, or no, that idea you have is bad, or I need more budget for security.
So it's like, every time you show up, you're like that little dark cloud.
And they run, they see you coming and they run away.
And I realized I had to change my whole kind of approach, I had to have like, let's build something together mentality.
Let's partner on reducing risk in a way that allows you to kind of build something and actually launch something at the same time.
Yeah, no, and I love to even talk about, you know, the Facebook example in particular, if you think about what Facebook is built, you know, Facebook can do more by having more security, right?
And it's like, in their city, you know, when you, the way I like to look at it is, we allow companies to take risks that other companies can't.
And if you can actually find those opportunities, it is just such a dramatic improvement for a company.
You know, like, you know, at Gusto, we're able to actually do things because the security team has built infrastructure that allows other developers to either not have to worry about security, so the developers themselves can actually be more productive, or it allows like the developers and product managers to take on riskier things that wouldn't have been possible otherwise.
You know, one of my favorite examples since, you know, I've already outed myself as being like a, you know, kid of the 80s and 90s, is you think about when eBay and PayPal came online, right?
And I know exactly seems like, oh, you know, but this is like, in the 90s, when eBay was just coming up.
It's the craziest, dumbest idea ever. Hey, I'm going to, you know, some random person I've never seen, I'm going to give them money.
And I'm going to send them either like a credit card or bank account or something like that.
But because we introduced things like TLS, because, you know, companies like PayPal develop ecosystems and secure ways that you facilitate transactions.
Now we have this entire marketplace, we have e commerce. Now we have all these things that, you know, pre 90s, and especially like pre 2000s, just seem like pipe dreams are things that you should never do.
But because somebody figured out how to actually manage that risk, they were to actually build multi billion dollar companies.
I actually joined eBay in 2002. And I remember, I remember calling my mom and saying, I'm going to leave my secure government job.
And I'm going to go work at this company called eBay. And she'd never heard of it.
And she said, What's the business model? And I said, Well, you look, you see something you want to buy on the Internet, you put cash in an envelope, you mail it to someone, and you hope the goods show up.
And she's, and she was like, what?
Yeah, this was before PayPal and no pay. And those other kind of like, trusted payment management systems came along.
And the astonishing thing was, it actually worked most of the time, you know, people like Pierre, the founder of eBay used to say, people are basically good.
And then, you know, I joined, and we would say, except for when they're not.
And we had, we had, we had to build security teams to deal with the, you know, and try and minimize those bad situations.
So you, you've had this career journey where you kind of came into it with, with an engineering mindset.
And you've risen to the top as a leader. It's interesting, you know, you and I get to know a lot of different security leaders.
And like, one thing in common is that we have nothing in common in terms of our career progression and how we got to be security executives.
You come from, I think, an application security background.
And, you know, I come from like a completely different background.
What is it like to be like that really technical person who kind of like takes on that leadership role?
Yeah. So it definitely, you know, it has, it means I come to it with a different set of strengths and weaknesses.
Right. So one of the strengths is like, yeah, I can think about the technical solution first.
And like, when I see problems, it makes it easier for me to visualize the finding.
Yes.
So like at Gustav, we have this just general model for security. Our job is to find yes.
And by being an engineer, when you have that, you know, ability to actually think about, well, what can you build, et cetera, you have a lot more options than when you're trying to actually find yes.
However, I still have the same stereotypical, like engineering personality and some of those issues and things like that.
Like, you know, obviously the people who've been watching this, they can tell I'm not like what is considered a polished executive or anything like that.
I'm a little bit more, you know, blunt and things like that. And so like, you know, things that I have to work on and improving on is like, hey, just business acumen just in general.
Right. And that's definitely a different skill set, especially as you're stepping into leadership.
It's thinking about the business holistically, not just your domain and the problem you're trying to solve, but how does this impact the company's trajectory?
How does it actually align with the company goals?
How does that impact the customers in the ecosystem that we operate in?
So that's definitely a challenge when you're coming from a technical background.
The other challenge is learning to speak in a way that other people can hear you.
And I think this is actually in particular for those of us in the security world, it's always like one of those bigger missteps.
It's like, oh, we speak in a language that oftentimes maybe our exec peers may not understand.
You know, you definitely have an advantage because you have both security and legal background.
So, you know, you're able to at least talk at a much higher level when it comes to risk, risk management, et cetera, and more broadly.
But that was actually something that, you know, I've had to learn and also, you know, still learning.
And then probably the, you know, third, I guess, challenge on that is, you know, people skills because engineering people skills are very different than general population people skills and actually making sure that I can, you know, approach and deal with all audiences at all levels.
Yeah. I think every one of us, when we first get to that executive level, we probably feel like you said, unpolished, not ready for it.
Like how do you deal with like imposter syndrome? Yeah.
Yeah. So how do I deal with imposter syndrome is pretty easy. So at least now, but, you know, like earlier it was probably more, you know, leaning on my mentors and also leaning on some of my peer networks.
So I belong to this group called DevColor, which is an organization.
It's a nonprofit organization for, you know, black people in software engineering.
And so I was able to actually lean on other like black executives and say like, Hey, you know, like how do you, how are you dealing with this?
How do you go through X, Y, and Z which helps minimize and reduce some of the imposter syndrome?
You know, I, you know, was very fortunate that I have extraordinarily loving and proud parents.
So they'd always kind of like, it can instill to me this idea of like, Hey, as long as you're working hard, you're trying your best and you're actually truly putting forth your best effort, then even if you fail, it's not a failure.
Right. And so that allowed me a little bit more courage to diminish some of the imposter syndrome, but it was still there because, you know, especially when I was starting in my career, I mean, particularly starting in career and leadership, you know, there are other things that actually just pop up.
Like I would often be in a boardroom and it would be obvious, like, Hey, I'm the only non -white person in this room.
And it did make me self-conscious about certain things.
Like, you know, there are like phrases and things like that, that, you know, colloquialisms that we know we use in African-American community that I just use as normal parts of speech, but maybe this audience wasn't even aware of that.
And I was, and I would get self-conscious, like, well, how are they perceiving me?
Because I use some slang term, not a derogatory slang term, but, you know, maybe I might say y'all, cause I'm from Mississippi.
Right. And those kinds of things, like how are those things actually perceived and learning to differentiate feedback that was real, that I needed to actually, you know, act upon versus feedback that was external from societal pressures that had nothing to do with me that I shouldn't have to deal with.
Right. So like, you know, one of the classic things as a black person, in particular as a black person, maybe actually in leadership is people saying like, Oh, you're so articulate and those kinds of things.
Right. Like I doubt that anybody's ever actually said, Hey Joe, you're so articulate.
Right. Like, cause the expectation is like, Hey, you're an executive, you're supposed to be articulate.
Right. So these things actually shouldn't be surprises. But, you know, learning how to actually deal with some of those things and, you know, in which areas do I need to say, Oh, well, Hey, yeah, that piece of feedback was valid.
And it actually was something about an action that I need to improve versus, Oh, that piece of feedback actually maybe came from somebody else's place of bias.
Right.
Cause they had never seen anybody like me at a board meeting or that kind of thing.
Yeah. I mean, when I step back and think about it, it's it's frustrating and disappointing that you as the minority in that situation feel you have to change more than the people in the room before you feel like they need to be open to having someone different from themselves.
Yeah. And like one of the advantages of getting older though, is that I no longer care about that.
Right. Yeah. Cause like when you think when you're younger, like everybody, when you're young, you have some kind of insecurity.
Right. And unfortunately, you know, oftentimes young people try to adjust themselves exactly.
You said to like, Oh, what external expectations were, as opposed to like saying like, Oh, wait a second, you need to change what you're doing and make space for me.
Right. You know, I, like I said, I was fortunate that I'm actually, I'm really confident in my technical skills, extreme, probably maybe overly confident.
So like criticism and things like that, I could recognize like, Oh, wait a second, you're criticizing me for something that has nothing to do with me.
Because I know this subject area really well. So I know it's not the facts.
It's not this. So it's actually something personal and you know, somebody's bias, whether it's malicious or non-malicious was actually coming into play with the feedback that you're doing.
So, you know, it definitely is a journey and it's unfortunate and there's still an issue in the industry.
You know, like one of the things that I've been seeing recently is a lot of companies that are looking for CISOs having interim CISOs and those interim CISOs happen to be female.
And I'm always wondering, it's like, Oh, cause this person is good enough to be an interim CISO for a year or two years.
Why aren't they just that title? And so, you know, some of that comes into play about how I think and view myself, but also how I view and think about other people.
Like one of my superpowers, I guess, actually is being a minority because it can make me more, you know, empathetic as well as maybe a little bit more open towards thinking about my own biases and things like that, because it's easier for me to actually put myself in that position of saying like, Oh, well, Hey, you know, like, yes, I'm not a woman, but it's easy for me to say, well, at least I have been in a position where somebody misjudged me because of an external viewpoint or an external like appearance issue.
And so it allows me to actually be a little bit more broad in my hiring and how I actually approach hiring than maybe some of my other peers.
Right. Yeah. Yeah. There's an old saying, like you can't judge someone until you walk a mile in their shoes or something like that.
And I think for a lot of us who try and be the best allies we can possibly be, it's still hard to get outside of our own kind of like assumptions.
And, you know, every one of us thinks I climbed to the top because of my effort.
You know, nobody, nobody cleared a path for me. I earned my way to the top, but the quality is we all start our clients at different places on the mountain.
And we have more or less people help to push us up the mountain and more people, less people giving us nutritional on the way.
And all of those have to be factored in.
I thought it was really interesting the way you were describing like your self-confidence gave you the ability to differentiate between criticism of the person versus criticism of the idea.
I love it. Yeah. It was funny. Like I said, like somebody asked me what my superpower was and I explained to him, you know, I grew up in Mississippi here in the United States and Mississippi has a long and storied history with racism.
And, you know, some of the things I was able to learn early on was society's opinion of me.
Isn't always the same as what the actual true reality is.
So you're like, you know, for an example, you know, like I said, I went to a math and science school.
So like, yeah, I'm fairly proficient in math and science.
And I remember early in my, my educational career, I gotten a perfect result on one of the standardized tests around math, which wasn't a surprise to my parents, wasn't surprising to me, but in Mississippi, they're like, Oh, wait a second.
There's a black person that's actually good at math. And so they thought that it was an error or that, you know, there was some kind of cheating or something like that involved.
And it's like, and so little lessons like that taught me early in my life that external opinions never trump hard facts.
Right. And that helped me build that confidence.
Like, Hey, I know the effort I put in. I know the facts that I know I've proven it in other formats, et cetera.
So, you know, learning had actually differentiated that feedback, but I learning of how to give and receive feedback.
It's also just, just instrumental to being a successful professional, just period, whether or not you're an IC or, you know, in a leadership position.
Right. Yeah. So, so I mentioned at the beginning, this is we're celebrating UK black history month.
Yeah. We chose the theme, our, our, our black and white ERG Afro flare chose the theme for the month.
I'm proud to be, it sounds like you are proud to be you.
I am extraordinarily proud to be me. I was born black.
This isn't a special effect. I still am black. It's working out pretty well for me.
I plan to die black also. And like I said, for me, I get a lot of strength from my blackness.
I really do. And it is a source of strength and inspiration and a source of resiliency for me as well.
Not just like philosophically, but even just from, you know, my community and things like that.
Like I mentioned, like things like dev color, which actually has resources that can help us support each other and accelerate careers, et cetera.
And just, you know, staying in tune with that next year and staying in tune with my culture, which obviously here in the U S like black culture is, is, you know, broad and nuanced, et cetera.
But, you know, all those things that he just helps me be me and what I've recognized, especially in New York, he alluded towards earlier with this idea of like, you know, early in my career, I probably was actually adjusting myself to try to actually maybe, you know, fit in with certain audiences, but I'm doing a much better job now because I'm bringing more of my full self.
And like, you think about the mental energy that you put into especially having all these various masks or performances that you're actually giving out externally, like, you know, fundamentally, we're all actors to some degree, but the closer you actually are to your true nature as an actor, the better that performance is going to be.
And that also shows them in your work performance.
So, you know, being proud of whoever you are, whether it's like, you know, black, Brown, you know, whatever, you know, spectrum on the LGBTQ, you know, anything religion that is always going to make it easier for you to actually show up better because it's less mental load.
Right. I'm not trying to do as much context switching or even, you know, more so, you know, alter my language.
Biggest operation to do for my language is just cause yeah, I'm from Mississippi.
So Mississippi, we just have accents, but, you know, like things like that.
And so like, yeah, I love the theme that your group has this month of, you know, what is, you know, being proud to be black.
I've explained to other people, I recently gave a talk that was called navigating the black seas, right.
Like going from IC to C level as a black professional.
And, you know, in that analogy, I was mentioning to people that blackness is the wind in my sails.
Like that that's one of the things that actually, you know, helps me center.
I draw strength and power from.
Yeah. And, and the reason why is because the company that hires you is going to feel like they have a better leadership team.
Right. Yeah.
They're going to have your representation, your perspective, and you're going to, you're going to help them see things hopefully differently.
Yeah. And you touched on something that's so great, Jay, because this is one of the, like, I personally believe that not having a diverse team is a disadvantage for a company.
And it's very real and legitimate. So you think about a company like Gusto, right, where we're trying to serve a broad swath of like, you know, small, medium sized businesses by having executives that know something about that culture, and maybe know it because they're native to that culture.
That literally means there are business opportunities that we can actually point out and identify that maybe others don't, you know, like, I remember at a previous employer where we were talking about, you know, just the payment industry and things like that, you know, mentioning.
So like, you know, here in the US, you know, we have this idea of like black barbershop culture, right?
And how business is conducted there is actually different than if you go to a Supercuts or something like that.
But knowing about that and have an executive that can actually speak to this, like, oh, hey, this is a business opportunity.
Here are actually things we can actually do.
Here's like we actually target this demographic that actually resonates with me.
And it's just, yeah, it's a force multiplier for a company. If a company wants to make a lot of money, get a really, really diverse team.
That's so true.
It really is. You have to understand your customers. So what advice would you give for someone who, to say your younger self or someone with similar identity watching who's like, how do I, how do I get on path like that?
Oh, yeah. So like, probably the first thing is just grit and resiliency.
But this is actually just across the board.
You're we're going to have failures, all of us, all of us can have some kind of failure.
Don't get overly discouraged by some of those failures.
Learn from the failures and try to figure out a way to actually improve. But don't give up the other thing.
And that grip applies to other areas. I don't want to sugarcoat it like as a minority, especially in the tech industry.
Yeah, it's still a very high probability that you might be the only person from your background on a team or at that company, et cetera.
I'm not saying anybody has to make any kind of sacrifices, but recognize that there is opportunity for you there and you don't have to say no to yourself before somebody else does.
And it's actually one of the biggest, I guess, you know, things that I learned from my parents is this idea of never say no to yourself, force somebody else to say no to you.
Right. So if there's an opportunity you're actually after, ask for it. You know, like if I could go back again, there's far more mentors I would have asked for a lot more interaction with.
Like I've learned, you know, like, you know, obviously, Joe, you've joined some of my groups and had conversations like individuals such as yourself, you're super busy, but you always find time.
And what I've actually seen and what I've learned is that most people do want to help humans in general.
We're good. We're nice, kind people in general and humans in general, especially, you know, individuals want to help other humans.
We enjoy it. We're programmed biologically to help other humans.
And so reach out for help, reach out for it early, reach out for it often and keep a really, really broad mindset.
The other thing I would say is take chances on yourself.
Like one of the things I wish I had done a little bit earlier and what I mean by taking chances on yourself, like, yeah, join that crazy startup that only has two people.
Right. Especially when you know, because one of the biggest benefits you have when you're younger and earlier in your career, you literally just have time on your side.
So you can recover from things.
And like taking those chances is, you know, is the opportunity to really upload and accelerate your career.
You know, if you look at like my LinkedIn profile, you actually see this interesting upward sign wave, right?
Where it's like, oh, hey, here's Flea, it's super tiny company. Then Flea goes to like large enterprise and Flea goes to another tiny company, large enterprise, et cetera.
And it's because this whole idea of like, hey, take some chances, learn something new and different.
Like when I, you know, I used to work at Betfair, which, you know, some of your people in the UK would definitely know about.
When I left Betfair, I went, I left Betfair because I wanted to join a company that was doing something in the cloud.
And ultimately I ended up joining Twilio, which obviously, you know, did really, really well, et cetera.
But at the time, it was the craziest idea.
Like, hey, this is super dope. Why would you leave this really great company that just prints money to join this startup that's doing something weird.
And they're also doing it weird in this thing called the cloud. So yeah, take chances on yourself.
Awesome. Wow. That was a great way to wrap up with a couple of pro tips there.
So we're just about out of time. So let me finish this conversation by saying thank you for joining me.
Thank you for opening up about your career.
Thank you for being a champion for diversity. You know, sometimes I think it's unfair that we put that burden on, you know, the diverse executive to speak up and to challenge the rest of us on something, but you seem proud to do that, happy to do that.
And it makes all of us better to be able to listen to you in a session like this.
So thank you so much for your time today. Oh, thank you for having me.
And yeah, hello. And thanks to all the audience that also just, you know, gave me a few minutes of their time today.
