Last week, we published the first half of our recent email Q&A with Reddit CISO Sean Catlett, in which Catlett tackled questions about cybersecurity's human element, its ongoing labor shortage and the impact of COVID-19 on CISOs. In the lightly edited transcript of the second half of that interview that follows, Catlett shares his thoughts on intelligence threat sharing, artificial intelligence, privacy and the future of cybersecurity.

Over the years, there's been a lot of talk about threat intelligence sharing, but for many reasons it hasn't become as commonplace as some believe it should. Do you consider threat intelligence sharing to be an effective deterrent?

Throughout my career, I've actually seen many positive instances of threat information sharing. For many years, I held incident response roles for global financial services companies. In that time, my organizations spearheaded the establishment of the Financial Services Information Sharing and Analysis Center (FS-ISAC), led public and law enforcement task forces on international e-crime and collaborated globally to facilitate the sharing of threat signals. In later years, I held roles in commercial threat intelligence, and we supported threat sharing via commercial and non-commercial initiatives.

This has been the model for many industries—to have trade groups establish sharing mechanisms. There is, however, a greater challenge for companies to share intelligence versus information. This gets a lot harder because intelligence in the information security world to some means the latest and greatest indicators of compromise. This becomes highly specific and targeted, and the variability of maturity of different programs across the globe means varying degrees of ability to detect, different regulations on what's allowed to be shared and different risk appetites for what should be shared. I believe that the ISAC model, with companies in a similar problem space, can be an effective tool. 

What is your outlook on artificial intelligence and its offshoots (machine learning, deep learning, robotics, image recognition, etc.), both as a threat and as a cybersecurity tool?

I’ve applied these tools for many years and have patents for applying machine learning to intrusion detection and access management. I have never seen AI or its offshoots as anything more than a tool or another systematic approach to detection. I don't think construction workers run around talking about how hammers are dead because of nail guns. They look at the right tool for the job. 

The industry is caught up in the cool factor of automation because it can be applied to hard problems at great scale. This has the industry seeing dollar signs. However, there are three questions we have to ask ourselves. First, can these tools keep up with the pace of the adversary? Second, are they worth the increased expense versus common sense approaches? And last, will they alone really solve the problem? 

AI tools are one step in a long process of deployment, training, tuning, signal detection, enrichment, response and investigation. Taking one part of cybersecurity, such as detection, and claiming "revolution" is premature. I'd like to see more investment in machine learning across all of the security domain. As a threat, I'd restate what I said (in Part 1 of this interview) about the human element—we have to recognize that there is someone else on the other side of the keyboard. They can achieve the same scale for their motivations with these tools.

Privacy has become a hot-button area as the combination of big data, AI and advanced analytics reach further into our lives. How is the growing array of privacy concerns guiding your decisions as a CISO?

I took the job at Reddit because I truly believe in the power of privacy to shape our future. We should not have to trade our privacy to participate online or in a digital economy. Privacy guides most of my decisions as CISO, and informs the rest. What I mean by that is we have to think about what customers expect, what they have entrusted us with and how we protect that or remove what we don't need.

Actively understanding data and data flows when building security tools is vital. We take a very rigorous approach regarding the access afforded any tool in our environment. We’ve also pushed back dramatically on SaaS-based tools to verify their security posture, threat model and deployment architecture when thinking about what to put in place. On the consumer privacy side, we also recently launched a user privacy center that we continue to actively evolve and develop to give customers better information, choice and control over their identity and content on Reddit.

What are your biggest cybersecurity concerns for the next few years, and conversely, what makes you excited about the future of cybersecurity?

The areas I’m most focused on are (1) the proliferation of information security surface area to protect, (2) the lack of fundamentals as we focus on the new shiny and (3) the lack of skills and growth development in the industry. To the first point, there is a greater surface area where information systems and software are being deployed because businesses want to save on costs and thus neglect the threat model or abuse case costs of doing so, such as cloud-native to IoT to large-scale industrial control systems. This creates an immense gap in solutions and skill sets. It concerns me that we are losing sight of the core vitals like multi-factor authentication everywhere possible, patching and asset management, identity and access lifecycle management and logging in favor of the changing threat defense solution of the day. I hope we can find more collaborative and industry-wide solutions to our skills gap and help onboard more people into the industry. 


However, answering those questions is what keeps me engaged and excited about the future. I look forward to seeing a diverse background of business and technical professionals excited about solving these challenges. I also hope to see more CISOs and information security executives being seen as true leaders, versus serving an IT or technical function, and being recognized for creating value for the business.
Contributors: