Secret CSO: Edward Frye, Aryaka Networks, Inc.

Secret CSO: Edward Frye, Aryaka Networks, Inc.

Name: Edward Frye

Organisation: Aryaka Networks, Inc.

Job title: Chief Information Security Officer

Date started current role: June 2019

Location: San Mateo, California

Edward Frye is the Chief Information Security Officer (CISO) at Aryaka Networks, Inc., where he's responsible for the company-wide leadership of Aryaka's information security program as well as collaborating with the industry to share best practices on information security. Frye leads the Security, Risk and Compliance teams and drives the global effort to ensure Aryaka is continually improving its security posture and maintaining and enhancing its compliance and industry certifications.

What was your first job? I joined the U.S. Air Force right out of high school to be a "Computer Communications Systems Control Specialist", which is a fancy title for network administrator.

How did you get involved in cybersecurity? I kind of stumbled into it. When I was taking a programming class in high school, we had an old terminal system that we "tested" the security on, or when I was working at the ISP, we were hacked. But I officially joined cybersecurity when I was working as a Systems / Network Engineer, when my company sent me to firewall training, after returning, they changed my title to "Security Engineer" at which point they started giving me more and more security tasks. I just kept getting into different areas of cybersecurity attempting to broaden the depth and scope of knowledge and understanding.

What was your education? Do you hold any certifications? What are they? My career started with on the job training and self-learning, followed by certifications. My first certificates were a pair of CheckPoint Firewall-1 certificates, then a bunch of vendor specific training and certifications. I earned my CISSP in 2003. Then I took a couple of SANS courses on hacking and forensics. After being in the industry for a while, I decided to pursue a Master of Science degree in Information Security and Assurance.

Explain your career path. Did you take any detours? If so, discuss. After being in cybersecurity for about ten years, I decided to take a step back to my roots and work on systems, networking and technical support. This lasted about four years before coming back to focused security roles.

Was there anyone who has inspired or mentored you in your career? There have been many people who have inspired me over the years, through my professional associations, work colleagues, etc., but at my second dedicated security role, I worked for Andrew Daniels, and I've maintained contact with, been mentored by and have looked up to him. Today, I network with leaders in High Tech, FinTech, Healthcare and Data Protection, and this allows me to be a better CISO by helping me look at my responsibilities from all perspectives.

What do you feel is the most important aspect of your job? One of the most important aspects of my job as a CISO is understanding the business and the risk exposure of my organisation, aligning my security initiatives to manage the risk while being an evangelist that can speak business risk to both technical and non-technical audiences in a language they understand while establishing relationships across the organisation and amongst my peers.

What metrics or KPIs do you use to measure security effectiveness? There are a lot of different KPIs that I've used to measure the effectiveness of my security programs, and it depends on which portion of the business I'm particularly trying to measure. I like to use a combination of Capabilities Maturity Model (CMM)/ BSIMM and the CIS 20 framework. For me, it's about measuring how the program is improving and where we need to focus our efforts to demonstrate the most value for the company and our customers.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? For cybersecurity, the positions I am having issues filling are related to Application Security. It's an interesting role that is not quite a development role, and not operations role, but requires understanding of many areas of IT, development and cybersecurity. In trying to fill this role, I have spent over a year looking for qualified candidates. In speaking with my fellow CISOs, a lot of them are looking for this specific blend and mentality. Because of this, I will be looking to grow security engineers from other areas such as security operations or compliance into AppSec.

Cybersecurity is constantly changing - how do you keep learning? I have a professional development goal added for all team members, including myself, as part of our annual goals. There is budget set aside for online training, and to attend conferences, and for the team to attend Black Hat and DefCon. As a member of the Silicon Valley Information Systems Security Association (SV-ISSA), we have monthly chapter meeting where we bring in speakers to talk about new or interesting security problems and how to solve them. It's important to have continuing professional education, and it's built into the security controls framework.

What conferences are on your must-attend list? I think it's important to attend conferences such as RSA, Black Hat, Defcon, BSides, and local events such as ISSA, ISC2, and ISACA chapter meetings, but, while I get value from the events themselves, I tend to get the most value from the interactions and networking surrounding the events.

What is the best current trend in cybersecurity? The worst? I think the trend of machine learning, when applied correctly can be a great asset to the cybersecurity world. However, the terms "machine learning" (ML), "artificial intelligence" (AI) and "blockchain" are overused within the industry. Cybersecurity vendors are trying to apply these terms and technologies to everything and using it as marketing spin that will solve all your cybersecurity problems. Information Security and Cybersecurity are business problems, and you can't bolt on new technology and expect it to solve your problem without understanding your particular business problem.

What's the best career advice you ever received? I would probably have to say the best advice I was given "remember, it's a marathon; not a sprint", while there are some solutions that need to be addressed quickly, it takes time to make a real lasting impact.

What advice would you give to aspiring security leaders? Try and get exposure to as many different aspects of cybersecurity as you can. Networks security, system administration, email security, forensics, incident response, vulnerability management, penetration testing, compliance, risk management, and privacy; the field is so broad, you don't need to know all of it, but the more you know, the easier you can address issues or hire the right people to address your issues.

What has been your greatest career achievement? My greatest career achievement was being able to join a company and establish an Information Security Management System (ISMS) nearly from scratch and obtain 27001 certification in an unprecedented two months.

Looking back with 20:20 hindsight, what would you have done differently? While there have been some hard times and challenges, I'm not sure I would change anything, the choices that I've made and challenges I've faced have brought me here to where I am today.

What is your favourite quote?"The only thing necessary for the triumph of evil is for good men to do nothing." ― Edmund Burke.

What are you reading now? I just finished reading "Never Split the Difference: Negotiating as if Your Life Depended on It" by Chris Voss

In my spare time, I like to… Take photographs, ride motorcycles and fly airplanes. I currently have a private pilot's license and am working on an instrument rating.

Most people don't know that I… Have always wanted to be a professional pilot and aeronautical engineer for as long as I can remember. In sixth grade for career day, I made an appointment to tour the local flight school.

Ask me to do anything but… Accept that we do it this way because that's the way it's always been.


« CIO Spotlight: Julia Aymonier, Ecole hôtelière de Lausanne


CTO Sessions: Dr. Guy Bunker, Clearswift »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail