Reddit CISO Allison Miller builds trust through transparency
- 25 October, 2021 19:45
Allison Miller (Reddit)
Allison Miller’s official title -- CISO and vice president of trust -- says a lot about her role and responsibilities at Reddit.
Like all CISOs, Miller oversees the cyber security strategy and operations at the 16-year-old company. She’s also in charge of privacy, ensuring that Reddit safeguards data against illicit uses and unauthorised access.
But unlike many other security chiefs, Miller is specifically tasked with safety, too, a job she summarises as “keeping shenanigans from impacting a good user experience.” She also manages workers who help enforce company policies regarding content posted on its community sites.
All of that, Miller explains, falls under the umbrella of the trust in her title -- an unusual titular recognition of the broadening scope of security work that’s happening today.
But an accurate one, Miller says, as she considers building trust a core part of her duties, something that shapes how she’s leading her team and how they together can impact the business itself as she devises strategy for security, safety, privacy and trust.
“I want to set an inspirational vision for the team and tell a story about what the trust organization is trying to accomplish in terms of deliverables as well as our value to Reddit and Reddit users,” Miller says.
Miller joined Reddit in February 2021. With nearly 25 years of experience in cybersecurity, she had spent much of her tenure in the profession scaling teams and technology. She pioneered the development of real-time risk prevention and detection systems running at internet-scale, and she led initiatives to engineer the defences of core payment and e-commerce systems.
Miller had most recently been with Bank of America, first as SVP of engineering, where she built the cybersecurity technologies used to protect the firm, and then moving up to SVP of technology strategy and design, where she led a team refactoring the defensive tech stack.
Now, as head of Reddit’s safety and security teams, she’s charged with expanding trust and safety operations, ensuring data security and evolving company programs to mitigate risks. She’s also redesigning Reddit’s trust frameworks and transparency efforts, both of which have been identified as enablers of growth across the platform.
She came to Reddit ready to sprint out of the gate.
“My first priority, as it is at all companies [I join] is to get situational awareness and get the lay of the land and understand what’s happening, but here I got thrown right into the thick of the action,” she says, admitting she would have liked to have had more time for a listening tour.
“But the company is growing and changing so fast, there were so many things already happening, I put my attention right to making sure the team is set up for success. I wanted to make sure the team was really operating as a team and had a culture of collaboration and working effectively together and cross functionally.”
As for priorities moving forward, Miller wants to continue to shift left by empowering developers to bring security into the development cycle as early as possible and “investing more energy left of the boom, before something bad has happened.” As she sees it, “it’s way better to find vulnerabilities in your code and deal with a security issue in the design before it’s launched.”
And she wants to leverage more telemetry and build more data-driven defences to build a more proactive approach to security. “Being able to prevent and protect, rather than have all your eggs in detect and response, has always been a driver for how I approach security,” Miller adds.
However, Miller says recruiting the talent needed to implement her vision remains a challenge. Like many other CISOs, she struggles to find qualified talent and the right specialists to grow her team as quickly as she wants.
Meanwhile, she says Reddit’s visibility can create additional security challenges that must be anticipated and countered, as the company can be targeted in ways that other less-prominent ones are not. “It means there are more angles we have to keep our eyes on,” Miller says.
Transparency and openness
Despite those challenges, Miller stressed that the integrity of both the company and its platform is paramount. To that point, Reddit has been expanding its safety and security department staff as well as doubling down on cybersecurity fundamentals.
At the same time, and in true Reddit fashion, Miller is continuing the company’s tradition of openness. She and her team share information about their practices, developments, and findings with the security field and within its own online community (r/redditsecurity).
“Reddit is a community of communities, so sharing what shapes our values, how we’re acting in accordance with our values [is part of our culture]” she says, noting that Reddit also publishes quarterly safety and security reports and has a public bug bounty program.
Miller believes transparency is critical to building trust with customers: “What’s true at Reddit and maybe unique is the level of transparency we provide to our customers, because we want it to be the best place for people to find other likeminded folks.
"So we have to build and reinforce our relationships with our users and our customers and clarify what’s going on behind the scenes so they feel willing to be part of a community and share things willingly.”
It’s also a differentiator, she adds, making transparency a critical component of her job -- right up there with security and privacy.
“Security is transparent, and privacy is in our DNA,” she explains, pointing, as an example, to Reddit’s system that allows users to selectively share information about themselves. “We believe that’s an advantage.”
Miller’s passion for transparency isn’t confined to Reddit; she advocates for more sharing within the cybersecurity profession as a whole and is active with various groups, having served on advisory and board roles for organisations including the Center for Cyber Safety and Education, ISC(2), and the Society of Information Risk Analysts (SIRA).
“It’s helpful when you’re at an executive level to be connected to other leaders,” she adds, “because we’re facing common problems and common adversaries.”