Trust is top of mind for Reddit CISO Fredrick Lee

Reddit CISO Fredrick “Flee” Lee likes his profession just like his hobbies: full of high stakes.

When he isn’t busy ensuring the safety of users on Reddit or scrolling subreddits like r/MMA, you can catch him living life on edge through activities like rock climbing, snowboarding, or motorcycling.

But that shouldn’t be too surprising: Lee, who began his role at the social platform in 2023, told IT Brew there are a lot of parallels between his outdoorsy hobbies and his day job, including a big focus on managing risks.

“There are all kinds of things that can happen to you on a motorcycle,” Lee said. “But if you manage risk, you can go really fast. You can race everybody else. You can get to these just glorious human experiences a lot of people don’t have.”

Origin story. Lee had a somewhat traditional entry into the security industry. As a kid, he said, he visited a bookstore with his father and stumbled across an article in 2600 magazine featuring John Lee (aka “Corrupt”), a famous Black New York hacker who was part of the Masters of Deception hacker group in the 1990s.

“That’s one of the first Black people I saw doing something with a computer,” Lee said. From there, he began reading other security-related media—and hacking as a hobby.

In his early career, Lee worked at a handful of dot-com bubble startups before landing at Bank of America. There, he worked on enterprise systems, a role that served as a turning point for his career after he came across some vulnerabilities within the company.

“Instead of firing me, they actually created one of the first application security programs,” Lee said. “And so I got to join that, and that then became my full-time job.”

Shape shifter. While Lee has worked at a variety of companies—including Square, Gusto, and NetSuite—he said his time at Twilio was a defining moment, turning him from a “normal, everyday” hacker to someone who can spot security issues and build “proactive solutions” to address them.

“Twilio really shifted the way I thought about how security should be practiced inside of companies,” Lee said. “And this idea that security is not an engineering-adjacent discipline, it is an engineering discipline, and the more you can actually incorporate that, the more successful you’ll be as a security practitioner.”

Fortify was another transformative stint, he said, because it overlapped with the “infancy of application security as a discipline,” and allowed him to be involved in the fundamental work being done in that area. “That helped me a lot, actually,” Lee said, adding he became a better “security thinker.”

Russell Spitler, CEO and co-founder of Nudge Security, worked alongside Lee at Fortify and in other capacities for two decades. He described Lee as a security professional with a “curious enthusiasm” and one capable of building strong teams.

“There is always a big focus on enabling the business,” Spitler said, adding that Lee also advocates for his teams to make the “right way” the easiest way when building. For example, he recalled, Lee’s team at Square built a wrapper to automate SSH key rotations for developers.

“They just took a bunch of development work off the desks of developers, but as they did that, they also addressed the sort of long tail security concerns that came along with doing that work,” Spitler said.

Trust and believe. In his first year at Reddit, Lee shifted the organization’s focus from just security to “security engineering.” “Now you’re seeing Reddit’s security team not just talk about, ‘Hey, here’s what’s going on. Here’s how we’re actually protecting you’…but you’re actually seeing Reddit’s security team talk about, ‘Hey, how do you build a modern security pipeline?’”

These days, making sure user-generated content is safe and authentic is one of Lee’s top priorities. In March, Reddit CEO Steve Huffman penned a post detailing the platform’s efforts to identify and label bots on the website.

“The value of Reddit is that you’re interacting with an actual human,” Lee said. “And we want to make sure that when you come to Reddit, you know who you’re interacting with: It’s a legitimate person.”

Lee’s focus on transparency and trust is not just limited to Reddit’s users. He told us building trust with employees is also important; his most recent attempt to do so involved sharing his own performance review with his peers: “I shared with the entire company because I want them to see, ‘Hey, here’s what your CISO is working on. Here’s where your CISO is doing well. Here’s where your CISO needs some improvement or has challenges, etcetera,’ because that vulnerability leads to additional trust.”