Episode 116: Joe Sullivan on Managing Complex Security Challenges
Oct 11, 2023
auto_awesome
Joe Sullivan, experienced security risk manager, discusses his career journey from federal prosecutor to CSO at Facebook, Uber, and Cloudflare. He shares insights on building and managing security teams, managing risk at companies like Facebook and Uber, and his experiences being prosecuted for a breach at Uber. Sullivan also talks about the future of executive liability in cybersecurity and his current work supplying technology for remote learning to children in Ukraine.
Cooperation between the public and private sectors is essential in cybersecurity, requiring better collaboration between companies, researchers, and government agencies.
Clear lines of transparency and accountability are crucial in cybersecurity incidents, with executive leadership and board members being held accountable for their roles.
Bug bounties are valuable in incentivizing ethical behavior, and security leaders should focus on building effective teams, communicating with executives, and collaborating with the security community.
Deep dives
Path to Cybersecurity Career
Joe Sullivan shares his journey into the cybersecurity industry, starting from his background in technology and his initial interest in working for the government. He discusses his involvement in technology within the US Department of Justice and his role as a federal prosecutor focusing on cybercrime cases. Sullivan also highlights his transition to the private sector, where he worked for companies like eBay, PayPal, Facebook, and Uber, and the unique challenges he faced in each organization.
Cooperation Between Public and Private Sectors in Cybersecurity
Sullivan emphasizes the importance of cooperation between the public and private sectors in cybersecurity. He discusses the need for better collaboration between companies and researchers, as well as between companies and government agencies. Sullivan acknowledges the evolving nature of cybersecurity and the challenges of navigating legal and operational aspects. He reflects on his own case, highlighting the importance of clear lines of transparency and accountability, and the need for executive leadership and board members to be held accountable in cases involving cybersecurity incidents.
Lessons Learned and Future Outlook
Sullivan shares his insights and lessons learned from his experiences in cybersecurity leadership roles. He discusses the significance of corporate accountability and the role of bug bounties in incentivizing ethical behavior. Sullivan also reflects on the need for security leaders to build effective teams, communicate with other executives, and collaborate with the security community. He concludes by discussing his current work in Ukraine and his commitment to helping citizens in the cybersecurity field.
Utilizing technology for safer rides
Technology can play a significant role in enhancing safety measures for ridesharing services. By leveraging technology, companies like Uber can ensure efficient routes, monitor driver behavior, and even prompt questions to riders to gauge their sense of safety. These technological advancements have the potential to positively impact real-world safety for both drivers and passengers.
Handling a security incident at Uber
In the fall of 2016, a security incident occurred at Uber. While the team believed they had resolved it by the end of the year, the incident resurfaced in the fall of 2017. This incident happened amidst other challenging events, including protests related to the company's CEO supporting the future Trump presidency. The resulting media scrutiny and internal pressure led to the CEO's departure. Subsequently, a group of executives acted as co-CEOs, leading the $40 billion company. Eventually, a massive review of past incidents revealed the need for a disclosure that had not taken place earlier, leading to legal complications. Despite the judge acknowledging the team's technical competence and the absence of harm to customers, the fallout from the incident resulted in negative repercussions for the interviewee.
Joe Sullivan has been at the forefront of managing security risk in rapidly growing high tech companies over the past 20 years serving as the Chief Security Officer at Facebook from early start-up through the IPO, CSO of Uber and CloudFlare, and as a security leader at eBay/PayPal. Joe was also involved in a landmark legal case for a breach at Uber which resulted in a criminal conviction that serves as a precedent for executive liability in cybersecurity going forward.
In this OODAcast we discuss:
Joe's early career and how he got interested and involved in technology and started his career as a federal prosecutor focused on cyber crime.
The transition into serving as a technology company CSO and his experiences at eBay/PayPal, Facebook, Uber and Cloudflare.
Lessons learned from building and managing highly functional security teams in dynamic environments.
Frameworks for managing risk at companies like Facebook and Uber.
His experiences being prosecuted and convicted surrounding circumstances associated with a 2016 incident at Uber.
How the courts will handle future cases like this and the associated liability for C-suite executives.
His current work focused on supplying technology for remote learning to displaced children in Ukraine.
Official Bio:Joe Sullivan is CEO of Ukraine Friends and President of Joe Sullivan Security LLC. Previously, Joe had served as the Chief Security Officer of Cloudflare since July (2018 - 2022). Prior to that, Joe was employed as Chief Security Officer at both Uber (2015 - 2017) and Facebook (2008 - 2015). His first private sector experience was in senior security and legal roles at eBay and PayPal (2002 - 2008). He also held the position of Commissioner for the United States Presidential Commission on Enhancing National Cybersecurity in 2016 and spent the first eight years of his career with the US Department of Justice, including as a federal prosecutor focused on cyber crime. Joe also advises a number of companies on security practices and mentors a number of developing security leaders.
