Secret CSO: Edward Frye, Aryaka Networks, Inc.

Name: Edward Frye

Organisation: Aryaka Networks, Inc.

Job title: CISO

Date started current role: June 2019

Location: San Mateo, California

Edward Frye is the Chief Information Security Officer (CISO) at Aryaka Networks, Inc., where he’s responsible for the company-wide leadership of Aryaka’s information security program as well as collaborating with the industry to share best practices on information security. Frye leads the IT, Security, Risk and Compliance teams and drives the global effort to ensure Aryaka is continually improving its security posture and maintaining and enhancing its compliance and industry certifications.

What was your first job? I joined the U.S. Air Force right out of high school to be a “Computer Communications Systems Control Specialist”, which is a fancy title for network administrator.

How did you get involved in cybersecurity? I kind of stumbled into it. When I was taking a programming class in high school, we had an old terminal system that we “tested” the security on, or when I was working at the ISP, we were hacked. But I officially joined cybersecurity when I was working as a Systems / Network Engineer when my company sent me to firewall training, after returning, they changed my title to “Security Engineer” at which point they started giving me more and more security tasks. I just kept getting into different areas of cybersecurity attempting to broaden the depth and scope of knowledge and understanding.

What was your education? Do you hold any certifications? What are they? My career started with on the job training and self-learning, followed by certifications. My first certificates were a CheckPoint Firewall-1 certificates, then a bunch of vendor specific training and certifications. I earned my CISSP in 2003. Then I took a couple of SANS courses on hacking and forensics. I decided to pursue a Master of Science degree in Information Security and Assurance after being in the industry for a while.

Explain your career path. Did you take any detours? If so, discuss. After being in cybersecurity for about ten years, I decided to take a step back to my roots and work on systems, networking and technical support. This lasted about four years before coming back to focused security roles.

Was there anyone who has inspired or mentored you in your career? There have been many people who have inspired me over the years, through my professional associations, work colleagues, etc., but at my second dedicated security role, I worked for a security leader whom I have maintained contact with, been mentored by and have looked up to him. Today, I network with leaders in High Tech, FinTech, Healthcare and Data Protection, and this allows me to be a better CISO by helping me look at my responsibilities from all perspectives.

What do you feel is the most important aspect of your job? I feel that the relationships that the CISO establishes are the most important. The CISOs role is as a business enabler while also protecting the company. The CISO must become a trusted partner for the rest of the executives.

What metrics or KPIs do you use to measure security effectiveness? There are a lot of different KPIs that I’ve used to measure the effectiveness of my security programs, and it depends on which portion of the business I’m particularly trying to measure. I like to use a combination of Maturity Models and the CIS 18 framework. For me, it’s about measuring how the program is improving and where we need to focus our efforts to demonstrate the most value for the company and our customers.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? For cybersecurity, there will always be a skills shortage, and a gap in what we think are qualified candidates. So we need to reevaluate what we feel are qualified candidates. We need to look more at the soft skills, rather than the hard skills. Is the person driven, are they curious, do they have some technical chops? I have a colleague that started in a sales role and customer success manager, the moved to business systems to support the sales tools, then to an IT role and is working on security projects in a highly regulated space. In speaking with my fellow CISOs, a lot of them are looking for this specific blend and mentality. Because of this, I will be looking to grow security engineers from other areas such as operations, IT, engineering into Security.

Cybersecurity is constantly changing – how do you keep learning? I have a professional development goal added for all team members, including myself, as part of our annual goals. There is budget set aside for online training, and to attend conferences, and for the team to attend Black Hat and DefCon. As a member of the Silicon Valley Information Systems Security Association (SV-ISSA), we have monthly chapter meeting where we bring in speakers to talk about new or interesting security problems and how to solve them. It’s important to have continuing professional education, and it’s built into the security controls framework.

What conferences are on your must-attend list? I think it’s important to attend conferences such as RSA, Black Hat, Defcon, BSides, and local events such as ISSA, ISC2, OWASP, and ISACA chapter meetings, but, while I get value from the events themselves, I tend to get the most value from the interactions and networking surrounding the events going back to the relationships.

What is the best current trend in cybersecurity? The worst? I think the trend of machine learning, when applied correctly can be a great asset to the cybersecurity world. However, the terms “machine learning” (ML), “artificial intelligence” (AI) and “blockchain” are overused within the industry. Cybersecurity vendors are trying to apply these terms and technologies to everything and using it as marketing spin that will solve all your cybersecurity problems. Information Security and Cybersecurity are business problems, and you can’t bolt on new technology and expect it to solve your problem without understanding your particular business problem.

What's the best career advice you ever received? I would probably have to say the best advice I was given “remember, it’s a marathon; not a sprint”, while there are some solutions that need to be addressed quickly, it takes time to make a real lasting impact.

What advice would you give to aspiring security leaders? Volunteer for that role, or that new project. Try new things and get exposure to different aspects of cybersecurity. Networks security, system administration, email security, forensics, incident response, vulnerability management, penetration testing, compliance, risk management, and privacy; the field is so broad, you don’t need to know all of it, but the more you know, the easier you can address issues or hire the right people to address your issues.

What has been your greatest career achievement? My greatest career achievement was being able to join a company and establish an Information Security Management System (ISMS) nearly from scratch and obtain 27001 certification in an unprecedented two months.

Looking back with 20:20 hindsight, what would you have done differently? While there have been some hard times and challenges, I’m not sure I would change anything, the choices that I’ve made and challenges I’ve faced have brought me here to where I am today.