October 5, 2023 • 67 mins
In a time when the regulatory landscape is evolving faster than ever, Joe provides invaluable insights for organizations to stay up-to-date with navigating the perilous landscape for security leaders. Drawing from his extensive experience training law enforcement across the globe, as well as his personal experience around the legal fallout of the Uber data breaches, he highlights the importance of regulators keeping up with the latest technologies.
Joe lays emphasis on the need for security leaders to effectively communicate technical risks to non-tech-heavy audiences, firmly establishing themselves as trust-builders within their organizations.
Joe talks about the symbiotic relationship between the public and private sectors in cybersecurity. He underscores the challenges in transitioning between these sectors and the crucial role of information sharing and standardized risk-management frameworks.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mark Havenner (00:05):
You are listening to Executive Cybersecurity with
Dave Tyson.
Welcome to season two ofExecutive Cybersecurity.
In this season's inauguralepisode, dave is speaking with
Joe Sullivan, former CSO ofFacebook, uber and Cloudflare,
(00:26):
and who was the target of afederal prosecution for Uber's
2016 data breaches.
Joe is now CEO of UkraineFriends, a non-profit focused on
humanitarian aid to Ukraine.
Dave Tyson (00:42):
Well, joe, thanks for joining us today.
I really appreciate you takingthe time.
I know you're a busy guy.
Maybe we can just start forbackground for some of the folks
who will see this, maybe give alittle history of your career.
I know you started out in lawenforcement, or maybe even
before that.
Can you take us through the?
Joe Sullivan (00:59):
journey.
Sure, I guess I knew from thebeginning that I wanted to go to
law school and then get out oflaw school and work for the
government.
While I was in law school I dida volunteer internship with the
US Department of Justice andthen I applied to the Department
of Justice for the only pathinto the federal government
(01:20):
Department of Justice straightfrom law school an honor law
grad clerkship.
It was a one-year clerkshipwith the Department of Justice.
That was my first stop out oflaw school.
I then went and worked at a lawfirm for a couple of months
which validated for me that thegovernment was the right path
and reapplied and got back intothe Department of Justice and
(01:42):
spent another seven years there,culminating in the second half
of that time all getting to workon high-tech crime.
Back in 1995, I was the personin the Department of Justice who
was convincing everyone to giveme a connection to the internet
from my desk.
They actually gave me one, Ithink in 1996, but it was not.
(02:07):
I had to use a separatecomputer and it was a direct
line out and it wasn't allowedto connect with anything inside.
So I could access the internetfrom my office to do research,
but I couldn't kind of mixcomputers, so to speak.
Then in 1997, I got a chance tobecome what's called a computer
(02:28):
and telecommunication crimecoordinator, which is what they
called the first set of federalprosecutors who were trained to
specialize in high-tech crime.
From there, in the beginning of2000, I became a full-time
federal prosecutor here inNorthern California was actually
(02:48):
based in the San Jose officeright down the street, and I was
one of a group of people whowere selected and the first
federal prosecutors who werededicated full-time to high-tech
cases.
We called it the CHIP unitComputer Hacking and
Intellectual Property and I didthat until 2002.
(03:09):
I was recruited to eBay andstayed at eBay until 2008, if
you count my time on the PayPalside of the house, got invited
to go over to Facebook in 2008.
Was there until 2015 when I wasinvited to go to Uber.
After two and a half years atUber, I went to Cloudflare and I
(03:34):
was the CSO at Cloudflare, Ishould say.
For when I went to eBay I had ahybrid role that was kind of
half legal and half trust andsafety slash security, and that
was my real kind of introductionto doing it on the corporate
side.
At Facebook, I became thecompany's second chief security
(03:55):
officer and was there from whenwe were smaller than MySpace to
a over a billion user publiccompany.
Dave Tyson (04:05):
It's an amazing journey.
As security professionals, weoften joke about having to break
in our lawyer when we get to anew CSO job and you have the
opportunity to have the best ofboth worlds.
You understand the law andcertainly led from the front in
a number of things.
I remember watching from afarat Facebook where you took out a
(04:29):
full page ad in the newspaperto talk about the issues and
obviously you've helped on good,solid legal ground to do that
and I think that's a greatcombination of skills.
You don't see it every day withpeople who have both a law
degree and prosecutionexperience and leading the front
from a cybersecurityperspective.
Joe Sullivan (04:49):
Yeah, it's interesting.
The thing I try and remindpeople, though, is, in the same
way, that not every engineer isgood at every type of
engineering, not every lawyer isgood at every type of lawyering
, and, like any trade, if youput down the tools, the skills
(05:09):
fade quickly.
So I think, in terms of when Igot away from practicing law, I
still understood the complexityof it, and one of the things
that I always advocated for atevery company and, generally
speaking, in God, was havingspecialist lawyers hired and
(05:30):
assigned to work with mysecurity teams.
A lot of times at an earlycompany, they'll have why would
we need a specialist lawyer inan area like security, and it
was complicated then.
It's 10 times more complicatednow in terms of the legal
landmines that exist.
Dave Tyson (05:49):
We had the opportunity to briefly work
together at eBay and I know youworked on a lot of stuff there
and I gathered from watchingfrom a distance that you had the
opportunity to train otherlawyers in other places about
how to prosecute these types ofcrimes.
How would you say that theprofession is evolving in terms
(06:09):
of their understanding of whatthe issues are and the ability
to provide great advice toorganizations?
Joe Sullivan (06:18):
Yeah, I think that's a really good question.
In some ways, it's a lot likethe legal side that supports us
and the other areas that supportus in the world of security.
They're evolving at the samepace that security is, and
(06:39):
security is evolvingtremendously quickly right now
in terms of the role,expectations, the breadth of
understanding you need to have.
When I get together with largegroups of security executives
now, or small groups, theconversation over the course of
a day is shockingly broad.
(07:00):
We're talking about verytechnical things related to the
latest attacks, and then we'retalking about legal issues
related to liability ofourselves.
We're talking about legalobligations of our companies,
regulatory obligations of theorganizations we work with, but
(07:21):
then we're also talking aboutfinances and how to manage
budgets, how to manage vendorsand then, on top of that, how to
manage up and engage withboards and other kind of
executives.
And if you look at ourprofession, it didn't really
(07:43):
exist 20 years ago.
In the same way, I think when Ibecame the CSO at Facebook,
most of the people who were mypeers were kind of like
mid-level inside theirorganizations, many layers down
from the top leadership of thecompany, and that was viewed as
(08:07):
kind of like the peak and youwere expected to be a hands-on
technical leader.
Flash forward 15 years andyou're now expected to be able
to sit in a boardroom and talkabout every subject that comes
up in the boardroom when we talk.
When a lot of security leadersraise their hand and say, can I
(08:29):
be a board member or executiveat that level, or why am I not a
board member, the answer isreally because you don't have
the experience that a boardmember has thinking about all
the issues that an organizationneeds to handle.
The goal is a boardroom shouldbe a group of people who are
(08:55):
collectively thinking about anddiscussing at a high level every
single issue for thatorganization and there are no
one-trick ponies in the room.
Dave Tyson (09:05):
One last question on this line before we move on.
What do you think about therelationship between the board
and executive management aroundthis responsibility for cyber?
It seems like it's evolving andI wonder how well that's
understood.
Joe Sullivan (09:27):
It's interesting, I think, that security leaders
for a long time have been askingfor and trying to figure out
how to get board and top levelfocus on security and now that
we're getting it, it's stressingus out again.
So it's like it used to be 10years ago when the security
executives got together the talkwas like how do I convince my
(09:50):
company to give me board time?
How do I?
Okay, I got the board time.
Now what do I say?
And now it's the board wantsregular updates, regular
engagement, communication thatthey understand and they want
some training too.
So it's evolved fast andremember, the people who are now
(10:13):
appearing in front of theboards were the people who
thought the pinnacle of theirprofession was going to be far
from that 10 years ago.
So maybe they chose theprofession because it was
comfortable in terms of likethey weren't going to be at that
level.
Like I remember back when I wasat eBay and we had a great
slate of top leadership at thecompany and I would watch people
(10:38):
like Maynard Webb or MegWhitman and Mike Jacobson, the
general council, who I can seeMeg always looked at as a
business leader as much as anattorney, and you just look at
these people and you think, oh,I'm not ever going to operate at
their level someday, and so I'mjust, I'm cool being down here.
And then next thing you know,you're actually in meetings with
(11:03):
them and they expect you tocommunicate with them like a
peer Right.
Dave Tyson (11:07):
Let's talk a little bit about the environment that
companies operate now, and Imean, if you look at the
evolution of regulations,consumer expectations, even the
legal realm obviously is.
It's changing rapidly and we'veseen multiple agencies in the
(11:29):
United States for sure, and whatwill no doubt start to affect
other places evolve.
Most recently, a number oforganizations have got, whether
it be the SEC or others, havegotten into the regulatory game.
There's legal precedent, casesthat are constantly being pushed
now Even what I might refer toas activism at the state level
(11:51):
in some of these spaces.
What do you think about thatevolving landscape in terms of
what the implications are fororganizations?
Joe Sullivan (12:01):
Well, I think it's important for every
organization to understandoperate within the boundaries of
the law, and what we need is,in many ways, more clarity on
what the rules of the road are.
It's something I've thoughtabout a lot.
There was a I read thisnewsletter that comes I'm not
(12:21):
sure if it's weekly or daily orsomewhere in between by this
journalist named Matt Levine,and last year he had a really
great article on, I think,regulation in the cryptocurrency
space, and I read the articleand it made me think of other
(12:41):
analogies beyond the cryptospace.
And what he said was and I'mnot quoting directly, but I've
read it a few times he saidsomething like let me tell you a
dumb, a dumb framing of howregulation works.
And just, he was like trying tosimplify it.
He said there's two types ofregulation.
There's regulation byrulemaking, which is you know,
(13:05):
when we drive down the street,we have the rules, they're very
clear, we know what to do withthe yellow line and what to do
with the white line and whichones you can cross and when you
can not cross them, and sothat's regulation by rulemaking
Give us the rules.
If you drift outside the lines,you're in trouble.
And then he said there's a.
What we're seeing so much latelyis regulation by enforcement,
(13:28):
which is you ask for the rules,you ask for the lines, but the
regulators don't give you thelines and they kind of sit back
and wait and when they seesomething they don't like, they
come in with an enforcementaction.
And he was talking about it inthe context of cryptocurrency
(13:52):
and that resonated with.
I don't know a lot aboutCoinbase, but from the outside
it seems like they're the onecryptocurrency company that has
been trying to follow the rulesand has asked for guidance and
then not received it, and noware in, you know, facing a bunch
of enforcement action.
Right, and if you, if you thinkabout it, it's.
(14:13):
This is happening in thecryptocurrency space because
it's fast evolving.
It's hard to understand fromoutside the industry, regulators
don't have a lot of experiencein it and consumers jump into it
and then consumers get hurt andso regulators, if they're not,
(14:36):
if not on the ball, we end up inthat world of regulation by
enforcement, and it seems to behappening right now in the AI
context.
There maybe there's actuallymore conversation and discussion
about regulation up front, butit almost feels like it's too
late for those of us who'veworked inside companies that
(14:57):
have been using machine learningfor over a decade, right the,
the public debate is onlyhappening now because one
product chat GPT was launched.
That kind of like shocked thewhole rest of the World into
awareness of what, about what'sbeen going on right, and so the
question is you know, are we getin AI?
(15:17):
Is this a chance for regulatorsto actually get ahead and have
regulation by rulemaking?
In the world of internet ingeneral, this has been the story
of the last 20 years Companiesget out ahead of government
understanding, consumers gethurt, regulators come in with
enforcement, and I think it'simportant for everybody to kind
(15:41):
of like think about regulatorsthat way that they're not.
They need, they need to beengaged proactively, they need
to have visibility into the newtechnology, they need to
understand the implications ofit, and there need to be people
inside the companies that aretrying to engage with them and
explain the risks and theopportunities.
Dave Tyson (16:01):
You know, what you said makes a lot of sense, but
it also triggered a secondthought.
When I was at the city ofVancouver, we were preparing for
the Olympics and there was alot of Topics that we were
tackling.
One of the one of the Lawyerswho worked there made a comment
to me that said we're tackling alot of new technologies, were
(16:22):
tackling a lot of things, andyou know the regulators, that
even some of the senior judgesyou know weren't born digital,
they were born analog.
There's a lot of gray hair atthe courthouse.
There's a lot of gray hair inin the regulatory framework.
You know leadership and and Iwonder if now that was a while
(16:43):
back, but I wondering if youthink that now the, the
technology, is better understoodor the how it's used is better
understood by those who make therules.
Joe Sullivan (16:56):
Well, I think it depends.
I've, you know, over the courseof so many years at so many
different companies, I've hadthe chance to go around the
world and I've trained lawenforcement in probably 25
different countries and I thinkeven just at eBay.
(17:16):
I went to 47 of the 50 statecapitals to try and engage and
explain To law enforcement andto other regulators how to go.
Like we at eBay, we wanted thegovernment to give us the rules
for what we should allow to besold on eBay and whatnot.
And we, because we're dealingwith a two-sided marketplace we
(17:39):
wanted the sellers to know thatif they defrauded a buyer, we
were going to bring a case tolaw enforcement.
We were eBay was prettyaggressive in that context.
We wanted the buyers to knowthat we had their back and we
wanted to know the sellers.
We wanted the sellers to knowthat we were going to hold them
accountable.
Because if you remember theearly days of eBay, before
(18:01):
PayPal and in Billpoint reallytook off, it was Literally see
something you like, put cash inan envelope, mail it and hope
that the stuff showed up.
We're and I remember telling mymom about, like that's the
business model of the companyI'm going to work at and she
thought that's crazy.
But the reality is most peoplelike we used to say it, but most
(18:21):
people are based basically good, and so most of the time the
transactions were happening andthey were amazing.
But then the bad guys, you know, see the opportunity and they
move in fast and we had to beaggressive against them.
Dave Tyson (18:34):
So let's change gears.
But how is your experience, asyou've been through all of this
obviously what you've beenthrough most recently, you know,
in the legal system how is thisreframed?
Your thinking about howexecutives should think about
cyber security and and theresponsibilities that come along
with that?
Joe Sullivan (18:52):
yeah, well, there was, there was.
There's one thing that stuckwith me and that I've told a lot
of security leaders Was thebiggest gift to them from my
case, and that's this At thesentencing hearing, the judge
(19:12):
said Two things very clearly toan audience bigger than me.
The most important thing hesaid was where's the CEO and the
company?
He put the government, he putthe government prosecutor in the
hot seat right for a fewminutes and he said From where I
(19:37):
sit, the CEO is Equally, if notmore, culpable, because the
judge had seen in my case thatThroughout the whole
investigation, throughout allthe decision-making process,
everything we did we ran,everything was documented.
We followed the playbooks, wefollowed the guidance from legal
(19:58):
.
We ran it all by the CEO andand so the question was where,
where's the CEO?
Right?
And that's the reality of whathappens inside a corporation.
We don't operate in a vacuuminsecurity.
We don't just go sit in thecorner and get to make decisions
(20:19):
.
Everything we do is Just, inthe same way that the person who
runs marketing doesn't just getto put out ads they they have
there.
There has to be a collaborativeprocess and feedback and
Everybody and the leadershipteam who needs to be plugged in
on a particular decision getsplugged in, and then the CEO
makes those ultimate decisions,and so the the question for the
(20:45):
government and the next case isgoing to be where's the CEO?
So I think that's an importantone, because on the outside and
this is something that how do Isay this a Lot of security
leaders are very frustrated thattheir inability to Get their
(21:06):
desired outcome in situationsinside their company Amen.
They feel like they're, youknow, shouting into the wind,
sometimes about risk, and thisStatement by the judge is a gift
to those people.
Now they have to be careful notto cry wolf right, but it is a
(21:28):
huge opportunity To driveawareness, and this isn't the
only recent case where that thatsignal has been sent about.
All the executives that arepart of running the company need
to be involved, and and all theboard members too, there, there
have been and I haven't kept upwith all the details, but there
(21:48):
have been quite a few caseswhere board members have been
named In different ways.
Dave Tyson (21:55):
Well, you look at the, they went after the
SolarWinds board, right, theyweren't successful in that
particular case, but you've seenexecutive liability.
I mean, they, they went afterthe McDonald's HR person,
they've gone after others andand in some cases they have gone
after the CEO.
The drizzly case comes to mind,right, but yeah, I think that's
.
It's very true.
I just wonder about you, know,what would be your thoughts in
(22:20):
terms of that relationshipbetween the security leader and
the leadership?
It seems to me that they'regonna have to Articulately Make
that case to say, hey, thisneeds to be.
You know, this is a businessrisk, yep, not a technology risk
, and we need to manage it likethat, whether In my world, it
would be great to make thebusiness or the risk security
(22:42):
decision.
Joe Sullivan (22:43):
When you make the business decision Right and
acquire something, you're gonnaengage in a new tack, you're
gonna build something new so Ithink there's two sides to it,
like every conversation, andEach side has some
responsibility in making surethat the right conversation
happens.
I haven't been on the boardside, but I've been on the
(23:04):
security leader side and I'vetalked to a lot of security
leaders about it and I don'tthink security leaders Can be
let off the hook.
I think we have a lot to do andthat's I spend a decent amount
of my time now Talking tosecurity leaders about that and
and working through situationswith them.
First, I would say, at a highlevel, security leaders Can't be
(23:28):
that one trick pony.
They're not invited to the roombecause they're the technical
expert.
They're invited to the roombecause they can translate that
technical issue to anon-technical audience in a way
that they understand the risk.
That's number one.
But number two they need to bea person who's communicating in
a trust relationship with thoseother leaders.
(23:49):
If you are part of a team thatdoes hard work and makes
difficult decisions on a dailybasis, you build a level of
trust and relationship thatgives you credibility when you
say this is really important.
And most of our securityleaders don't spend enough time
(24:10):
on that, and I learned it when Iwas at Facebook.
When I became, I was promoted tothe VP level.
I was given an executive coach,and she said to me one thing
that stuck with me a decadelater, that I remember and I've
shared with a lot of people,which is she said you spend 90%
(24:31):
of your time down facing withyour team and 10% engage with
the other executives.
She said a good executivespends 50% of their time engaged
with the other executives.
You need to build a leadershipteam within your organization
that's strong enough that theyonly need 50% of your time,
because the company needs you tospend 50% of your time with the
(24:54):
other executives.
And I remember thinking, well,what am I going to talk about?
Because I don't think I justwant to go hang out.
If I go hang out with the CFO,they don't want to talk security
with me all day.
They want to talk about finance.
They want to talk about theirproblems.
If I go hang out with the headof HR, they want to talk about
(25:14):
their problems.
If I go talk with the head ofbusiness, they want to talk
about their problems.
And so that was a real journeyfor me and I think for a lot of
us you have to actually be ableto go talk to those other
executives about their problemsand help them, and so I looked
for different pathways.
(25:35):
To like, if I was sitting in anexecutive meeting and I saw an
executive dealing with a hardissue that I thought I could
help them talk through and ithad nothing to do with security
I would offer to talk it throughwith them.
If I saw an area where nobody inthe room was an expert which
often happens, I hate to say Iwould jump in.
(25:57):
I became an executive sponsorfor one of our minority employee
groups and became a championinside my last couple of
companies for diversity, becauseI realized there's no obstacle
for me stepping in and having avoice on this topic.
(26:19):
In fact, it's good for mycareer personally and I've had
so many diverse employees atcompanies say thank you for
championing diversity for us.
We're grateful and I always saywell, I don't want to admit
this, but I'm doing it for me.
By standing up for you, I foundanother way for myself to have
(26:44):
a voice on the leadership team,and it's a voice on something
that matters, and it allowed meto build bridges with people on
a hard topic that people werestruggling with in leadership
teams, and then I had a betterpersonal and deeper personal
relationship with some of thoseother executives.
Dave Tyson (27:06):
Courage is important , right?
If it was easy, everybody woulddo it Exactly.
Okay, let's move on.
So, given all of this, I'm sureyou're doing a lot of this
these days, but what's theadvice you want to give to CISOs
out there, whether you're justcoming into the business or
(27:27):
you've been there 20 years?
What's the advice for them togo forward with?
Joe Sullivan (27:32):
I think it's less about you need to be a technical
expert on every functional areain your organization.
It's more you need to be arelationship and business expert
with people outside of yourorganization.
You have to get outside thatcomfort zone.
(27:53):
You have to build thoserelationships.
You need to understand how thedifferent parts of the business
puzzle fit together.
The better you understand whatthe business is trying to
accomplish, the better you canmanage risk and the better you
can communicate about risk, andso it's not always intuitive,
(28:17):
but I think that's the directionwe need to go.
Number one.
Number two I think we need togrow up as a profession.
We need to develop some morestandards and expectations.
I help a lot of companies thatare growing quickly and I
(28:39):
typically talk to their CEO, andit's because some of their
board members or their venturecapitalists look at the company
and say, wow, there's someamazing intellectual property or
sensitive data or somethingvaluable inside the company that
needs to be protected, and theorganization's naive Talk to the
CEO, and so I'll end upspending time talking to the CEO
(29:00):
and then I'll help them hire asecurity team.
But the executive comes into it,that CEO often not knowing
anything about security andneeding someone who's ready to
be there.
We haven't mentored anddeveloped enough people in our
profession to fill all theimportant security roles that
(29:22):
are now available, and we don'thave professional associations
that provide the level ofmentoring and support that we
need.
Because the reality is, thisrole one level below this role
is very different from this role, and so you actually don't
(29:46):
really come to appreciate andsee all of the issues until
you're thrust into the role andthen you start drowning and, as
a kind of collective group ofpeople who are all kind of
swimming in the same deep water,we need to get better at
supporting each other in morestructured ways.
Dave Tyson (30:08):
You know it's interesting.
You say that because I lookback over my career and I look
at I think there's somewhere inthe neighborhood of 30 people
who've been my directs who arenow CISOs and I'm sure most
CISOs who've been around in thetime.
I have the same scenariobecause our directs and even
their directs are being pulledinto that void, that gap that's
(30:29):
in the market for years.
I mean I go back to the ClintonCommission on Critical
Infrastructure where they weresaying there's thousands of open
rules and it takes 10 years totrain somebody.
I mean I would argue it takesmore than 10 years to be a tier
one CISO.
But it would seem that this,that mentoring, that development
(30:49):
is really going.
It continues to grow inimportance, not because you're
talking about now being able tointeract in a room with the
grizzled professionals acrossevery you know securities, one
of those spaces where you knowliterally touches every aspect
of a business Right.
Joe Sullivan (31:09):
I've found at every company I've been at that
my team has a broader visibilityinto what's going on at the
whole company than anyone else,except for the CEO.
Ours is at a different levelthan the CEO's, but we're.
If it's happening withtechnology, we need to know
about it Right.
And so we know what's happeningwith technology over in the
(31:30):
marketing organization that theCIO doesn't even know about.
Or you know some Skunk Worksproject over another career,
like.
We have to know every singleone of those things and have the
have a pathway into A beinginvited to the project Right and
B being able to communicate andmanage the risk in those.
(31:54):
The challenge I see is in theleadership.
Like that step into leadership.
You have to, you have to wantto step into that leadership
because you have to push, and alot of security leaders are
really comfortable staying onelevel away from where they
(32:16):
really should be.
You've probably seen this amillion times.
There's conversations in CISOgroups.
Where do you report Right?
It seems like there's a.
There are two factions.
At the end of the day, there'sthe we should be reporting to
the CEO because this is a fullscope business risk thing and
(32:39):
the top level needs tounderstand it.
And then there's a equallylarge faction that says I don't
want to get that close to thesun, my wings will melt Right
and it's a real fear like Iwon't be able to do my technical
work.
I will be.
I won't understand 80% of whatthey're talking about in that
(33:00):
room.
It won't feel like a good useof my time and I remember the
first time I sat in an execmeetings.
I didn't understand 90% of itand at the end of the meeting I
felt like I just heard a bunchof words and didn't accomplish
anything.
Dave Tyson (33:14):
Yeah, I mean 20 years ago in this business, or
even 15 years ago, I think, at avery, very immature way to say
it.
But I was just like when they'dsay, what do you need to this
job?
I said, go get an MBA.
Like it's not a technical skillset.
I mean, yes, you could hiretalent in technical, but you
need to understand every aspectof the business, and not that an
(33:37):
MBA is be all end all anymore,but but it's you have to
understand it.
I I now think you know, yeah,that's that's table stakes to me
in this role.
Now we should have a law degree, an MBA and possibly a social
worker degree to be able to talkpeople through, talk them down.
I think.
Joe Sullivan (33:55):
I think you're spot on on the business.
I had 2019, I partnered withsomeone from Stanford Business
School and we did a mentoringprogram for a group of first
time CISOs and I came up withthe idea because at some point I
think in 2018, I startedthinking I've acquired.
I was talking to someone who'dgone to business School and I
(34:16):
was like, oh, what are you doingin business school?
And then we ended up havingthis long conversation, walking
through each of the classes, andat the end of it I said I I
think I have an MBA throughexperience, because everything
you've talked to me about yourclasses is stuff that I've been
in those business meetings for.
And so I created this trainingprogram business for security
(34:42):
leaders and we mentored a groupof security leaders Fantastic,
and they ate it up because theywere able to ask questions and
process it and think about itand they could relate to
specific meetings they'd been inbefore but not really
understood the language.
Dave Tyson (35:01):
There's a definition out there that I've been
struggling with and I'd love toget your perspective on, and
that is the word breach.
What constitutes a breach?
I think there's.
You know, there's a regulatoryview, and I think there's a
number of regulatory views ofwhat that means.
Then there's, I think, maybedifferent legal definitions, but
(35:23):
it seems to be one of thosemurky areas now that that causes
pain, because at a technicallevel, I would say that there
are some people who will saythat breaches happen every
single day, at every company.
Depending on your view of whata breach is, what are your
thoughts around what that legaldefinition or that regulatory
(35:44):
definition, that organizationsI've even heard companies say
you can't use the word breach.
Joe Sullivan (35:50):
Yeah.
So I think of it the same way Iwould think of any other
technical specialty.
We wouldn't ask someone whodoesn't know how to code to you
know, go work on the software,and to me that's legal
(36:11):
terminology where we need tohave an expert in the room, and
I don't think any securityleader should try and become
that expert themselves.
I felt like after my case kindof first splashed into the news,
there was a lot of that runningaround and trying to figure out
(36:33):
how do I memorize everypermutation.
There's no possible way.
If you run security for amultinational organization that
has customers in Europe and Asia, forget it.
I mean, in every company I'veworked at we've had customers on
every continent and probablyhundreds.
(36:56):
You know over 100 countries.
So there's no possible way thatI could know what our
obligations are aroundengagement with government.
The thing that the moreimportant thing for the security
leader in my mind is tointernalize, something even more
(37:19):
scary than trying to memorizeall that stuff, and that is, if
you look at my case and what thegovernment was really upset
about, what the judge was upsetabout even at the sentencing,
was the totality ofcommunication by the
(37:40):
organization about security at ahigh level and then the minutia
at a low level, and I thinkthat's a great expectation that
some people at the company willunderstand all of those
obligations and make sure thatthey're happening accurately.
(38:00):
We don't have dedicated peopleon our team in security that do
that.
We count on other teams to dothat, and so, oh, there's been a
lot of conversation aboutsecurity leaders, like
employment contracts.
What should they have in theiremployment contract?
(38:21):
Everybody wants to talk aboutD&O, insurance and stuff like
that.
I think more importantly wouldbe to have a commitment from the
company to have the resourcesyou need to do your job and
where there's risk like this.
So, getting back to somethingwe were talking about earlier, I
want the company to commit,have dedicated attorneys who are
(38:43):
expected to be experts in theseareas, who are effectively on
call, because, as you know, mostof our security incidents
happen on Friday night, on aholiday.
Yes, if it's a three-dayweekend, you're going to have a
problem and we need to have alawyer there with us, but we
also need to have acommunications person who
(39:05):
understands this space too, andmaybe you need to have outside
counsel committed to, which isanother layer of cost that
companies balk at sometimes, butyou've got to insist on all
those things because it's goingto be a team process.
And why do I say that thesecurity leader needs to care
about that?
Because if you look at thesituation related to solar winds
(39:30):
right now and you compare itwith my case, you'll see.
There's one specific factualthing that struck me.
I was able to hear the CSO fromSolarWinds talk about his case
and where it's at, and my numberone takeaway from that was that
(39:52):
his company had done a lot ofcommunication about security to
the government and a goodpercentage of it he hadn't
personally seen.
And in my case, my lawyersactually had a slide that showed
all the communications with thegovernment and the
communications with thegovernment that I had seen, and
(40:13):
it was a small subpart that Ihad seen, and in the same way
that a person on the other.
If you step back and youstopped a person on the street,
a person who might be a juror inyour case, and you said, hey,
this company has a securityissue and they have a head of
(40:36):
security who should be,responsible, the person on the
street.
They'll be like the head ofsecurity they screwed up.
And then the head of securitywould say but wait, I'm just
like one little part of this bigmachine that spits out an
outcome and nobody cares, andit's the same thing.
(40:58):
Okay, the company saidsomething.
You're the person on the street.
The company promised me goodsecurity and promised me that
everything was okay.
Oh, and there's a person insidethe company called the head of
security who should be on thehook.
It's the person.
I guess the question is howmuch are we as security leaders
(41:23):
paying attention to all thethings our company is saying
about security in all thesecontexts?
I've been a public company andsometimes I've seen the 8Ks and
the 10Ks that the lawyers havesought me out and said hey, it's
.
Usually they would seek me outand say we're changing the
language and we wanted to run byyou and I'll look and be like
(41:43):
well, I never saw V1.
How many years have we beensaying that?
And so, and maybe like, whatpercentage of security leaders
know what an 8K and a 10K is?
Dave Tyson (41:56):
Or where's the comparison?
You look at the language that'sin those and I've reviewed a
lot, I've written a few and it'salways the standard stuff.
We use best practices, we havean outside firm that tests these
things, but there's very littlerelationship between that and
the day-to-day realities ofsecurity in an organization.
I mean, that's a nice generalhigh-level feel-good statements
(42:20):
and I think that that's the kindof stuff where there's a risk
of reality and the regulatory tobash into each other at some
point.
Joe Sullivan (42:33):
Yeah, there's one other layer to this that I've
been thinking about, which isI'm lucky in some respects right
now that I have a differentperspective, which is I'm not
working from inside one company,I'm doing consulting and
advising to a number ofdifferent companies, and so I've
(42:53):
been watching as there aredebates about new, different
policies.
The federal government willrelease a statement saying we're
thinking about banningransomware, or we're thinking
about this and or we want topass regulation requiring that
makers of software haveliability for that.
And I was thinking whose voiceis heard when the government
(43:20):
says that and gives themfeedback on it?
The companies that we work foroften have a very strong opinion
on the regulation, and thestrong opinion is usually we
don't want more regulation.
And so that goes back to thething I was talking about, where
we could live in a world ofregulation by enforcement or
(43:42):
regulation by rulemaking.
If you're the person who'ssupposed to drive the car,
between the lines, the securityleader which world do you want
to live in?
You want to live in a world ofrulemaking, so you might feel
very differently than yourcompany about what rules the
government should be putting out, but as security leaders, we
(44:05):
don't have a strong voice.
The only voice is our company,and we might have like if we're
some of a subset of CSOs whoactually get invited to internal
meetings about policy things wemight have voiced an opinion.
We might have said, yes, wewould like a nationwide data
(44:28):
breach law that bringsconsistency and simplicity to it
when our companies are inWashington DC throwing sand and
the engine of that type ofchange.
And so I think, as securityleaders, we need to find a
bigger voice.
We should be thinking about howto get a voice outside of our
organizations that we work fortoday.
Dave Tyson (44:51):
Joe.
Turning now to sort of wetalked a little bit before about
the relationship betweengovernment and private industry,
whether they be publicly tradedor not.
What are your thoughts on howthat relationship can evolve or
grow to be more effective?
Joe Sullivan (45:07):
I think it's on all of us to make that
relationship better, and I thinkthere are a lot of concrete
things we could do.
It's funny sometimes when Iread articles about certain
industries.
They'll describe how peoplemove between the private and the
public sector back and forthand a lot of times the articles
(45:29):
are negative about that becauseof the idea that, oh, you go
into government, you regulate anindustry and then you go out
and make lots of money and thenyou go back in and you protect
the companies you worked for iskind of the way it gets spun.
But there's a flip side to that, which is when you're in
government after you've been inan industry, you understand it
(45:51):
at a different level and youappreciate the good things and
you know where the skeletons aretoo.
And so if you're reallycommitted public servant, at
that point you have the tools todo the job better than if
you've never been in an industry.
I look at the legal profession.
(46:11):
When I got out of law school, Iwent and did a clerkship in the
government.
Most of the people who didclerkships with me went into the
private sector and they workedat a law firm for a few years.
Then they wanted to becometrial lawyers.
So they went back to thegovernment and did trials.
Then they wanted to becomepartners at law firms and they
(46:34):
went back and then maybe, ifthey were lucky, they became a
judge.
But what you had there was thepublic and a private sector that
understood each other, did ittogether, spoke each other's
language, and we don't quitehave that in security for a
(46:54):
bunch of different reasons.
People inside government I knowbecause I was there you get
attached to the idea of yourequivalent of a pension and
retirement at a certain age, andso there's the pros of the
compensation on the governmentside, but you go on the private
sector side and there'sfinancial pros too that are hard
(47:16):
to leave behind to go into thegovernment for a short period of
time, and so there's not theincentive.
I've talked to people that I'veprobably personally helped more
than 50 people find jobs in techcompanies coming from the
federal government and kind ofmentored them through that
process, and they felt that whenthey were making that
(47:41):
transition out of governmentthat they were not shunned but
looked down on and the idea ofthem being invited back into
government they felt like itwasn't going to happen for them.
So that's kind of like onedynamic that undermines that
back and forth.
A second thing that underminesit is the government and the
(48:05):
private sector don't use thesame frameworks for managing
risk, don't use the sametechnology for running their
organizations, and so if you'rein a security leader is supposed
to be technical in terms ofunderstanding their environment,
and if you've never operated inan environment like the private
(48:27):
sector and you've only operatedin a technical environment in
the government, there's anotherreason you don't speak the same
language.
And so we have this Tower ofBabel situation, where you've
got these lots of differenttypes of private sector
organizations and lots ofdifferent government
organizations trying to figureout and are collectively
(48:49):
responsible for the safety ofthe citizens.
Dave Tyson (48:53):
So is there anything specific you can think of that
we could do to evolve that fromhow the government is able to
how we can partner togetherbetter?
I wonder, because today we haveregulatory frameworks, we have
some best practices, we have afew of those things, but the
(49:14):
bugbear in the room has alwaysbeen information sharing.
That's been a tough one.
There's been a lot of debate.
I think that the governmentcontinues to try to do the right
thing there because they have atest that have to balance.
Obviously, you have to controlsources and methods, but is
there anything else that we cando to evolve that public-private
(49:37):
partnership?
Joe Sullivan (49:40):
There's a lot and I will say that there's been a
lot of progress, I think, in thelast decade and fits and starts
.
Last year I was the CSO atCloudflare and, even though my
case was pending and going to goto trial, I was still in
(50:04):
meetings, working hand-in-handwith senior people from
Department of Homeland Securityas we dealt with Log4j, as we
dealt with the full-scaleinvasion of Ukraine in February
2022.
And there were intentionalcollaborative efforts by the US
(50:25):
government to try and engagewith the technology platform
companies that could help andhad visibility into what was
going on, and those are veryproductive collaborative efforts
Interesting right now.
I know that I really enjoyedthose collaborations.
But now there's talk of and Iguess it's got subpoena
(50:49):
authority in some context, butnow some security leaders are
saying wait a minute, I'msupposed to go in, open the
kimono and talk to these peoplewho are going to be regulating
or investigating me.
It creates a bit of a funkydynamic there when you're
thinking about partnership,Right.
Dave Tyson (51:09):
When you think about the I'll call it the diversity
in regulations that exist outthere.
One person's opinion I've seenfive or six government entities
over the last couple of yearstake a broader stance in
regulating the cybersecurityspace.
We've seen this with privacy.
(51:30):
Obviously this has been a bigdeal.
But the FCC, the SEC, there's anumber, even the Department of
Energy, tsa all trying to do theright thing.
Do you think there might be abetter model or some way to be
able to articulate whatorganizations should do without
(51:52):
having to create another newframework or another new
regulatory body or another newset of rules that would
encourage businesses to want todo the right thing?
Joe Sullivan (52:05):
Yeah, it's funny.
I think there's a saying we usea lot in security, which is
complexity is the enemy of goodsecurity.
Our good security starts withsimplicity.
I would submit that the samewould be the case for regulation
the easier the rules are tofollow, the more likely they're
(52:26):
going to be followed.
I do see that differentregulators bring different
issues, because each regulatorcomes to the situation with a
different mission.
They have a different drivebased on who they are and who
(52:50):
they represent and who they'resupposed to protect.
A good example of that islooking at the world of privacy
at a very simple high level,comparing how the European
regulators approach privacyversus US regulators.
You probably say well, who isthe US regulator on privacy,
(53:12):
which state?
And so there's a lot ofdifferent stuff and California
has stepped up and done a lotrecently.
Other states are doing thingsand the federal government would
probably say there are someprivacy laws in different
contexts.
But from the side of someonewho sat inside companies that
(53:37):
were regulated on privacy, itwas good to have different
regulators who had differentperspectives.
I just wish they talked to eachother and put it in a single
framework and spoke in a singlelanguage to us.
Dave Tyson (53:53):
Well, I think what it does is it forces companies
to from my personal experiencewhatever is the most strict.
That's what we're going toapply to everybody, for the
simplicity concept.
If we have to meet somethingthat is onerous, at least it
will be the same for everywherewe can.
Joe Sullivan (54:10):
The challenge is that's not always the most cost
effective to do it that way, andthe regulator who came up with
the most strict might not be theregulator who understands the
industry best and is trying tobalance supporting businesses
growing in their local economywith risk management.
Dave Tyson (54:33):
Looking back at this conversation, I wonder do you
think that the role of the CISO,as it relates to management or
the board, has changedfundamentally?
Joe Sullivan (54:47):
I do.
I think it has grown into amuch more important role.
Its growth is tied to thegrowth of technology in our
society.
Twenty-five years ago, youdidn't need to have an expert on
the board and in the C-suitewho could explain the downside
(55:09):
risks to your customers in theworld and the expectations that
they have on the organization.
Now every organization needs tohave both.
Dave Tyson (55:23):
I was present at your sentencing and heard what
the judge said about where isthe CEO.
I wonder if that message isgoing to be heard loud and clear
in terms of not only awarenessbut change.
Do you think that this is thebeginning of that journey for
(55:48):
CEOs and for executive leaders?
Joe Sullivan (55:51):
I do.
I think that the SEC guidelinesare a really good next step.
I was talking to some CISOsrecently and I said, and this
topic came up and they said, oh,they're planning on going to
(56:12):
their board and explaining thisnew stuff from the SEC.
I said why are you explainingit?
Why don't you ask your generalcounsel to explain it?
They're the experts on the lawand regulation.
By the way, it would be betterfor you personally if it's
someone else explaining itrather than you.
Sometimes it feels a littleunfair to the security leader
(56:35):
that they're not just the personwho's supposed to go do the
substantive job, they're the onewho's supposed to explain that
the job needs to exist.
Explaining that the job needsto exist feels like you're being
a squeaky wheel.
We should be the squeaky wheelabout the substantive security
(56:57):
risk.
Okay, we need to dedicate someresources over here, but you
having the resources to go findthe problem shouldn't have been
something you had to fight for,but it too often still is.
Dave Tyson (57:12):
So now, joe, thinking about the case which
you've been through all of thethinking you've probably done on
this over the last while, howdo you think about this
differently?
How do you think about whatthose key messages are to both
CSOs, to management and even tothe board?
Joe Sullivan (57:36):
Well, I think let's take each group
individually.
I think for board members areally important question that
they need to ask themselves isam I getting the full picture?
Am I getting unvarnished truth?
Do I think that the company hasthe resources to actually get
(58:00):
to the truth and team that'sfunded to get to the truth?
And then, do I trust the truththat they're giving me?
I'm sure board members think inall contexts I'm getting a very
polished presentation that hasbeen tailored to make me feel
everything is perfect except forvery specific things.
(58:22):
So I assume board members aretrained in how to dig.
They've got to learn how to digin this new area and I don't
think it's easy.
I do a lot of going insidecompanies and looking at their
security posture and I've beendoing security for a long time
(58:45):
and I've run large teams insidelarge organizations doing
security, I think, very well.
But I couldn't figure out infour hours whether a company is
doing security well.
I don't think I could figureout in 10 hours whether a
company is doing security well,and so that means the board
member needs to have some ofthat independent ability to
(59:08):
figure out is the company doingsecurity well?
But also the company hasprocesses to kind of surface and
deal with risk in a way thatthey feel confident that things
are getting surfaced to them.
Dave Tyson (59:21):
Do you think that boards need to have their own
independent advisors on thistopic?
Joe Sullivan (59:31):
Most of us.
When we're running our ownsecurity team, we don't just
listen to our own team, we bringin outside auditors.
A lot of us are required tobring in outside auditors by our
customers.
So I'm sure when you, everyorganization that you've run,
(59:53):
you've had a vendor securityprogram where you scrutinized
your third parties and you madethem get third party auditors
come in.
It's a sad truth, but securityis complicated and having
multiple eyes look at thingsusually leads to better outcomes
.
Dave Tyson (01:00:12):
So what about the other audiences here?
You've got the management team,the CEO, a senior exec team and
you've got the CISOs.
Joe Sullivan (01:00:20):
Well, hopefully, the rest of the management team
is starting to realize twoimportant things.
Number one security presents areal risk to the business, and
so everyone on that leadershipteam is invested and has one
goal the success of the business.
And so security is one of thethings that if the brakes stop
(01:00:43):
working on the vehicle, you'renot going to start the vehicle
because it can't stop.
So they need to be supportiveof investment and security.
And that's a challenge becauseevery leadership team gets a
certain amount of money and theywant to spend, and it's always
a debate between what do wespend on growth of the business
(01:01:05):
and development of customers anddevelopment of products versus
management of risk.
But if you're looking at itholistically, with the right
approach, then you're going toallocate your budget to both
sides appropriately.
So that's part one.
And then part two for them isthey're personally on the hook
now in ways they weren't before.
Dave Tyson (01:01:25):
Yeah, yeah, all right, let's close out with the
CISOs.
Joe Sullivan (01:01:30):
Yeah, and for CISOs.
I want every CISO to step upand become a company leader.
I am sorry, but they have tocarry that weight of advocating
for and insisting on the rightresourcing and they have to do
the substantive job.
(01:01:51):
They need to be part of theexec team.
They need to be part of theteam that makes the decisions
every day about how the businesshas run.
They need to keep pushing to bein that room.
I think some CISOs are pushingto be on boards too, and that
will be great because then theywill really see holistically how
(01:02:12):
multiple companies run.
And that's really uncomfortablefor most CISOs who come from
the technical ranks who, whenthey got into those technical
ranks, thought of this as aprofession that had a certain
ceiling.
And now we're telling them thatwasn't the ceiling, that's the
floor and they got to step upand no one's holding out a hand
(01:02:35):
to pull them up.
They just have to jump up there, yeah.
Dave Tyson (01:02:39):
You said earlier that you're out doing consulting
for different firms.
I'm sure your advice isimmensely valuable from your
experiences.
So what's next for you?
Joe Sullivan (01:02:51):
So I do a half-time non-profit work.
I'm the CEO of a non-profitthat provides humanitarian aid
to people in Ukraine.
We've done a lot of differentthings as the kind of war has
evolved.
Right now, a big focus for usis helping kids who are in
remote school in Ukraine.
(01:03:12):
So in a country of 40 millionpeople, half the kids have
remote education still.
So they had remote educationduring the pandemic and then
when our kids got to go back toschool, theirs didn't because
the war had started, and sothese kids have been in remote
learning for years, and it'sjust a tragedy.
(01:03:33):
So I've been partnering with abunch of different companies to
take their used laptops over sothat the kids can use them,
because of all those kids whoare in remote learning, half of
them don't even have a laptop.
They don't even have a computer.
They're borrowing something offin their parents' phone to do
remote learning, and so one ofthe cool things is that I've
(01:03:54):
been able to get a lot ofcompanies to look and figure out
what do we do with our usedlaptops and then plug my
non-profit in and we'll shipthem over, make sure they're
cleaned and wiped and safe andall that stuff first, of course,
every single company that'sdonated a laptop has been a
company that I was connected toby a security leader of that
(01:04:17):
company.
So we talked a little bit aboutthe network of security leaders
in the world.
It's a very caring group.
Security leaders seek eachother out partially for
commiseration and moral support,but partially for learning.
(01:04:40):
I mean, the reality is, whenyou get in that security leader
role, everyone above you thinksyou know the answer and
everybody below you thinks youknow the answer.
You know the answer, and soyou're afraid to show that
weakness to anybody.
It's hard to say I don't knowthe answer to your team, and
(01:05:00):
it's hard to say I don't knowthe answer to your CEO.
And so who do you turn?
To your peers?
Dave Tyson (01:05:06):
It's so funny.
I got to tell you the story.
So I joined eBay in October of2007.
I had been in the industry along time, you know, in Canada
mostly, but I just moved to theUS and one day my boss, dave
Collinane, who I'm sure you knewquite well, comes along and I'm
throwing all of my securitybooks into the trash.
(01:05:28):
I had quite a library I wasproud of.
And he said what are you doing?
I said well, I'm throwing allthese books out.
And he said well, why?
I said because everything I'mexpected to do here hasn't
happened yet and there's nothingin these books from the past
that prepares me for that anybetter.
And that's how I sum up theexperience of being a CISO.
(01:05:51):
So often it's the next newthing, the next new technology,
the next evolving problem, andyou have to be good at dealing
with the uncertainty Right.
I say you know, being a CISO islike you know, getting 10% of
the information you need andmaking career ending decisions
(01:06:11):
all day long.
Joe Sullivan (01:06:13):
It's not easy.
Dave Tyson (01:06:15):
So back to your organization.
If folks who see this want tobe involved, can they donate
laptops?
Is there a place they can dothat?
Joe Sullivan (01:06:23):
Absolutely.
Our website's ukrainfriendsorg.
You can send an email to infoat ukrainfriendsorg and it'll go
to me, and we only have twoemployees in the United States
one who's paid and myselfvolunteering, and the rest are
all over in.
Poland and Ukraine.
We have warehouses over thereand we ship things over.
We also ship over medicalequipment, blankets during the
(01:06:44):
winter, you name it.
Dave Tyson (01:06:47):
Excellent.
Well, we'll make sure thatmessage gets out there.
Thank you for your time today,Joe.
It's been really great.
Thank you Appreciate it, thanksfor having me.
Mark Havenner (01:07:00):
This has been Executive Cybersecurity with
Dave Tyson, a production ofApollo Information Systems.
Visit us at Apollo-IScom or, ifin Canada, apollo-isca.
Thank you for listening.
You are listening to Executive Cybersecurity with
Dave Tyson.
Welcome to season two ofExecutive Cybersecurity.
In this season's inauguralepisode, dave is speaking with
Joe Sullivan, former CSO ofFacebook, uber and Cloudflare,
(00:26):
and who was the target of afederal prosecution for Uber's
2016 data breaches.
Joe is now CEO of UkraineFriends, a non-profit focused on
humanitarian aid to Ukraine.
Dave Tyson (00:42):
Well, joe, thanks for joining us today.
I really appreciate you takingthe time.
I know you're a busy guy.
Maybe we can just start forbackground for some of the folks
who will see this, maybe give alittle history of your career.
I know you started out in lawenforcement, or maybe even
before that.
Can you take us through the?
Joe Sullivan (00:59):
journey.
Sure, I guess I knew from thebeginning that I wanted to go to
law school and then get out oflaw school and work for the
government.
While I was in law school I dida volunteer internship with the
US Department of Justice andthen I applied to the Department
of Justice for the only pathinto the federal government
(01:20):
Department of Justice straightfrom law school an honor law
grad clerkship.
It was a one-year clerkshipwith the Department of Justice.
That was my first stop out oflaw school.
I then went and worked at a lawfirm for a couple of months
which validated for me that thegovernment was the right path
and reapplied and got back intothe Department of Justice and
(01:42):
spent another seven years there,culminating in the second half
of that time all getting to workon high-tech crime.
Back in 1995, I was the personin the Department of Justice who
was convincing everyone to giveme a connection to the internet
from my desk.
They actually gave me one, Ithink in 1996, but it was not.
(02:07):
I had to use a separatecomputer and it was a direct
line out and it wasn't allowedto connect with anything inside.
So I could access the internetfrom my office to do research,
but I couldn't kind of mixcomputers, so to speak.
Then in 1997, I got a chance tobecome what's called a computer
(02:28):
and telecommunication crimecoordinator, which is what they
called the first set of federalprosecutors who were trained to
specialize in high-tech crime.
From there, in the beginning of2000, I became a full-time
federal prosecutor here inNorthern California was actually
(02:48):
based in the San Jose officeright down the street, and I was
one of a group of people whowere selected and the first
federal prosecutors who werededicated full-time to high-tech
cases.
We called it the CHIP unitComputer Hacking and
Intellectual Property and I didthat until 2002.
(03:09):
I was recruited to eBay andstayed at eBay until 2008, if
you count my time on the PayPalside of the house, got invited
to go over to Facebook in 2008.
Was there until 2015 when I wasinvited to go to Uber.
After two and a half years atUber, I went to Cloudflare and I
(03:34):
was the CSO at Cloudflare, Ishould say.
For when I went to eBay I had ahybrid role that was kind of
half legal and half trust andsafety slash security, and that
was my real kind of introductionto doing it on the corporate
side.
At Facebook, I became thecompany's second chief security
(03:55):
officer and was there from whenwe were smaller than MySpace to
a over a billion user publiccompany.
Dave Tyson (04:05):
It's an amazing journey.
As security professionals, weoften joke about having to break
in our lawyer when we get to anew CSO job and you have the
opportunity to have the best ofboth worlds.
You understand the law andcertainly led from the front in
a number of things.
I remember watching from afarat Facebook where you took out a
(04:29):
full page ad in the newspaperto talk about the issues and
obviously you've helped on good,solid legal ground to do that
and I think that's a greatcombination of skills.
You don't see it every day withpeople who have both a law
degree and prosecutionexperience and leading the front
from a cybersecurityperspective.
Joe Sullivan (04:49):
Yeah, it's interesting.
The thing I try and remindpeople, though, is, in the same
way, that not every engineer isgood at every type of
engineering, not every lawyer isgood at every type of lawyering
, and, like any trade, if youput down the tools, the skills
(05:09):
fade quickly.
So I think, in terms of when Igot away from practicing law, I
still understood the complexityof it, and one of the things
that I always advocated for atevery company and, generally
speaking, in God, was havingspecialist lawyers hired and
(05:30):
assigned to work with mysecurity teams.
A lot of times at an earlycompany, they'll have why would
we need a specialist lawyer inan area like security, and it
was complicated then.
It's 10 times more complicatednow in terms of the legal
landmines that exist.
Dave Tyson (05:49):
We had the opportunity to briefly work
together at eBay and I know youworked on a lot of stuff there
and I gathered from watchingfrom a distance that you had the
opportunity to train otherlawyers in other places about
how to prosecute these types ofcrimes.
How would you say that theprofession is evolving in terms
(06:09):
of their understanding of whatthe issues are and the ability
to provide great advice toorganizations?
Joe Sullivan (06:18):
Yeah, I think that's a really good question.
In some ways, it's a lot likethe legal side that supports us
and the other areas that supportus in the world of security.
They're evolving at the samepace that security is, and
(06:39):
security is evolvingtremendously quickly right now
in terms of the role,expectations, the breadth of
understanding you need to have.
When I get together with largegroups of security executives
now, or small groups, theconversation over the course of
a day is shockingly broad.
(07:00):
We're talking about verytechnical things related to the
latest attacks, and then we'retalking about legal issues
related to liability ofourselves.
We're talking about legalobligations of our companies,
regulatory obligations of theorganizations we work with, but
(07:21):
then we're also talking aboutfinances and how to manage
budgets, how to manage vendorsand then, on top of that, how to
manage up and engage withboards and other kind of
executives.
And if you look at ourprofession, it didn't really
(07:43):
exist 20 years ago.
In the same way, I think when Ibecame the CSO at Facebook,
most of the people who were mypeers were kind of like
mid-level inside theirorganizations, many layers down
from the top leadership of thecompany, and that was viewed as
(08:07):
kind of like the peak and youwere expected to be a hands-on
technical leader.
Flash forward 15 years andyou're now expected to be able
to sit in a boardroom and talkabout every subject that comes
up in the boardroom when we talk.
When a lot of security leadersraise their hand and say, can I
(08:29):
be a board member or executiveat that level, or why am I not a
board member, the answer isreally because you don't have
the experience that a boardmember has thinking about all
the issues that an organizationneeds to handle.
The goal is a boardroom shouldbe a group of people who are
(08:55):
collectively thinking about anddiscussing at a high level every
single issue for thatorganization and there are no
one-trick ponies in the room.
Dave Tyson (09:05):
One last question on this line before we move on.
What do you think about therelationship between the board
and executive management aroundthis responsibility for cyber?
It seems like it's evolving andI wonder how well that's
understood.
Joe Sullivan (09:27):
It's interesting, I think, that security leaders
for a long time have been askingfor and trying to figure out
how to get board and top levelfocus on security and now that
we're getting it, it's stressingus out again.
So it's like it used to be 10years ago when the security
executives got together the talkwas like how do I convince my
(09:50):
company to give me board time?
How do I?
Okay, I got the board time.
Now what do I say?
And now it's the board wantsregular updates, regular
engagement, communication thatthey understand and they want
some training too.
So it's evolved fast andremember, the people who are now
(10:13):
appearing in front of theboards were the people who
thought the pinnacle of theirprofession was going to be far
from that 10 years ago.
So maybe they chose theprofession because it was
comfortable in terms of likethey weren't going to be at that
level.
Like I remember back when I wasat eBay and we had a great
slate of top leadership at thecompany and I would watch people
(10:38):
like Maynard Webb or MegWhitman and Mike Jacobson, the
general council, who I can seeMeg always looked at as a
business leader as much as anattorney, and you just look at
these people and you think, oh,I'm not ever going to operate at
their level someday, and so I'mjust, I'm cool being down here.
And then next thing you know,you're actually in meetings with
(11:03):
them and they expect you tocommunicate with them like a
peer Right.
Dave Tyson (11:07):
Let's talk a little bit about the environment that
companies operate now, and Imean, if you look at the
evolution of regulations,consumer expectations, even the
legal realm obviously is.
It's changing rapidly and we'veseen multiple agencies in the
(11:29):
United States for sure, and whatwill no doubt start to affect
other places evolve.
Most recently, a number oforganizations have got, whether
it be the SEC or others, havegotten into the regulatory game.
There's legal precedent, casesthat are constantly being pushed
now Even what I might refer toas activism at the state level
(11:51):
in some of these spaces.
What do you think about thatevolving landscape in terms of
what the implications are fororganizations?
Joe Sullivan (12:01):
Well, I think it's important for every
organization to understandoperate within the boundaries of
the law, and what we need is,in many ways, more clarity on
what the rules of the road are.
It's something I've thoughtabout a lot.
There was a I read thisnewsletter that comes I'm not
(12:21):
sure if it's weekly or daily orsomewhere in between by this
journalist named Matt Levine,and last year he had a really
great article on, I think,regulation in the cryptocurrency
space, and I read the articleand it made me think of other
(12:41):
analogies beyond the cryptospace.
And what he said was and I'mnot quoting directly, but I've
read it a few times he saidsomething like let me tell you a
dumb, a dumb framing of howregulation works.
And just, he was like trying tosimplify it.
He said there's two types ofregulation.
There's regulation byrulemaking, which is you know,
(13:05):
when we drive down the street,we have the rules, they're very
clear, we know what to do withthe yellow line and what to do
with the white line and whichones you can cross and when you
can not cross them, and sothat's regulation by rulemaking
Give us the rules.
If you drift outside the lines,you're in trouble.
And then he said there's a.
What we're seeing so much latelyis regulation by enforcement,
(13:28):
which is you ask for the rules,you ask for the lines, but the
regulators don't give you thelines and they kind of sit back
and wait and when they seesomething they don't like, they
come in with an enforcementaction.
And he was talking about it inthe context of cryptocurrency
(13:52):
and that resonated with.
I don't know a lot aboutCoinbase, but from the outside
it seems like they're the onecryptocurrency company that has
been trying to follow the rulesand has asked for guidance and
then not received it, and noware in, you know, facing a bunch
of enforcement action.
Right, and if you, if you thinkabout it, it's.
(14:13):
This is happening in thecryptocurrency space because
it's fast evolving.
It's hard to understand fromoutside the industry, regulators
don't have a lot of experiencein it and consumers jump into it
and then consumers get hurt andso regulators, if they're not,
(14:36):
if not on the ball, we end up inthat world of regulation by
enforcement, and it seems to behappening right now in the AI
context.
There maybe there's actuallymore conversation and discussion
about regulation up front, butit almost feels like it's too
late for those of us who'veworked inside companies that
(14:57):
have been using machine learningfor over a decade, right the,
the public debate is onlyhappening now because one
product chat GPT was launched.
That kind of like shocked thewhole rest of the World into
awareness of what, about what'sbeen going on right, and so the
question is you know, are we getin AI?
(15:17):
Is this a chance for regulatorsto actually get ahead and have
regulation by rulemaking?
In the world of internet ingeneral, this has been the story
of the last 20 years Companiesget out ahead of government
understanding, consumers gethurt, regulators come in with
enforcement, and I think it'simportant for everybody to kind
(15:41):
of like think about regulatorsthat way that they're not.
They need, they need to beengaged proactively, they need
to have visibility into the newtechnology, they need to
understand the implications ofit, and there need to be people
inside the companies that aretrying to engage with them and
explain the risks and theopportunities.
Dave Tyson (16:01):
You know, what you said makes a lot of sense, but
it also triggered a secondthought.
When I was at the city ofVancouver, we were preparing for
the Olympics and there was alot of Topics that we were
tackling.
One of the one of the Lawyerswho worked there made a comment
to me that said we're tackling alot of new technologies, were
(16:22):
tackling a lot of things, andyou know the regulators, that
even some of the senior judgesyou know weren't born digital,
they were born analog.
There's a lot of gray hair atthe courthouse.
There's a lot of gray hair inin the regulatory framework.
You know leadership and and Iwonder if now that was a while
(16:43):
back, but I wondering if youthink that now the, the
technology, is better understoodor the how it's used is better
understood by those who make therules.
Joe Sullivan (16:56):
Well, I think it depends.
I've, you know, over the courseof so many years at so many
different companies, I've hadthe chance to go around the
world and I've trained lawenforcement in probably 25
different countries and I thinkeven just at eBay.
(17:16):
I went to 47 of the 50 statecapitals to try and engage and
explain To law enforcement andto other regulators how to go.
Like we at eBay, we wanted thegovernment to give us the rules
for what we should allow to besold on eBay and whatnot.
And we, because we're dealingwith a two-sided marketplace we
(17:39):
wanted the sellers to know thatif they defrauded a buyer, we
were going to bring a case tolaw enforcement.
We were eBay was prettyaggressive in that context.
We wanted the buyers to knowthat we had their back and we
wanted to know the sellers.
We wanted the sellers to knowthat we were going to hold them
accountable.
Because if you remember theearly days of eBay, before
(18:01):
PayPal and in Billpoint reallytook off, it was Literally see
something you like, put cash inan envelope, mail it and hope
that the stuff showed up.
We're and I remember telling mymom about, like that's the
business model of the companyI'm going to work at and she
thought that's crazy.
But the reality is most peoplelike we used to say it, but most
(18:21):
people are based basically good, and so most of the time the
transactions were happening andthey were amazing.
But then the bad guys, you know, see the opportunity and they
move in fast and we had to beaggressive against them.
Dave Tyson (18:34):
So let's change gears.
But how is your experience, asyou've been through all of this
obviously what you've beenthrough most recently, you know,
in the legal system how is thisreframed?
Your thinking about howexecutives should think about
cyber security and and theresponsibilities that come along
with that?
Joe Sullivan (18:52):
yeah, well, there was, there was.
There's one thing that stuckwith me and that I've told a lot
of security leaders Was thebiggest gift to them from my
case, and that's this At thesentencing hearing, the judge
(19:12):
said Two things very clearly toan audience bigger than me.
The most important thing hesaid was where's the CEO and the
company?
He put the government, he putthe government prosecutor in the
hot seat right for a fewminutes and he said From where I
(19:37):
sit, the CEO is Equally, if notmore, culpable, because the
judge had seen in my case thatThroughout the whole
investigation, throughout allthe decision-making process,
everything we did we ran,everything was documented.
We followed the playbooks, wefollowed the guidance from legal
(19:58):
.
We ran it all by the CEO andand so the question was where,
where's the CEO?
Right?
And that's the reality of whathappens inside a corporation.
We don't operate in a vacuuminsecurity.
We don't just go sit in thecorner and get to make decisions
(20:19):
.
Everything we do is Just, inthe same way that the person who
runs marketing doesn't just getto put out ads they they have
there.
There has to be a collaborativeprocess and feedback and
Everybody and the leadershipteam who needs to be plugged in
on a particular decision getsplugged in, and then the CEO
makes those ultimate decisions,and so the the question for the
(20:45):
government and the next case isgoing to be where's the CEO?
So I think that's an importantone, because on the outside and
this is something that how do Isay this a Lot of security
leaders are very frustrated thattheir inability to Get their
(21:06):
desired outcome in situationsinside their company Amen.
They feel like they're, youknow, shouting into the wind,
sometimes about risk, and thisStatement by the judge is a gift
to those people.
Now they have to be careful notto cry wolf right, but it is a
(21:28):
huge opportunity To driveawareness, and this isn't the
only recent case where that thatsignal has been sent about.
All the executives that arepart of running the company need
to be involved, and and all theboard members too, there, there
have been and I haven't kept upwith all the details, but there
(21:48):
have been quite a few caseswhere board members have been
named In different ways.
Dave Tyson (21:55):
Well, you look at the, they went after the
SolarWinds board, right, theyweren't successful in that
particular case, but you've seenexecutive liability.
I mean, they, they went afterthe McDonald's HR person,
they've gone after others andand in some cases they have gone
after the CEO.
The drizzly case comes to mind,right, but yeah, I think that's
.
It's very true.
I just wonder about you, know,what would be your thoughts in
(22:20):
terms of that relationshipbetween the security leader and
the leadership?
It seems to me that they'regonna have to Articulately Make
that case to say, hey, thisneeds to be.
You know, this is a businessrisk, yep, not a technology risk
, and we need to manage it likethat, whether In my world, it
would be great to make thebusiness or the risk security
(22:42):
decision.
Joe Sullivan (22:43):
When you make the business decision Right and
acquire something, you're gonnaengage in a new tack, you're
gonna build something new so Ithink there's two sides to it,
like every conversation, andEach side has some
responsibility in making surethat the right conversation
happens.
I haven't been on the boardside, but I've been on the
(23:04):
security leader side and I'vetalked to a lot of security
leaders about it and I don'tthink security leaders Can be
let off the hook.
I think we have a lot to do andthat's I spend a decent amount
of my time now Talking tosecurity leaders about that and
and working through situationswith them.
First, I would say, at a highlevel, security leaders Can't be
(23:28):
that one trick pony.
They're not invited to the roombecause they're the technical
expert.
They're invited to the roombecause they can translate that
technical issue to anon-technical audience in a way
that they understand the risk.
That's number one.
But number two they need to bea person who's communicating in
a trust relationship with thoseother leaders.
(23:49):
If you are part of a team thatdoes hard work and makes
difficult decisions on a dailybasis, you build a level of
trust and relationship thatgives you credibility when you
say this is really important.
And most of our securityleaders don't spend enough time
(24:10):
on that, and I learned it when Iwas at Facebook.
When I became, I was promoted tothe VP level.
I was given an executive coach,and she said to me one thing
that stuck with me a decadelater, that I remember and I've
shared with a lot of people,which is she said you spend 90%
(24:31):
of your time down facing withyour team and 10% engage with
the other executives.
She said a good executivespends 50% of their time engaged
with the other executives.
You need to build a leadershipteam within your organization
that's strong enough that theyonly need 50% of your time,
because the company needs you tospend 50% of your time with the
(24:54):
other executives.
And I remember thinking, well,what am I going to talk about?
Because I don't think I justwant to go hang out.
If I go hang out with the CFO,they don't want to talk security
with me all day.
They want to talk about finance.
They want to talk about theirproblems.
If I go hang out with the headof HR, they want to talk about
(25:14):
their problems.
If I go talk with the head ofbusiness, they want to talk
about their problems.
And so that was a real journeyfor me and I think for a lot of
us you have to actually be ableto go talk to those other
executives about their problemsand help them, and so I looked
for different pathways.
(25:35):
To like, if I was sitting in anexecutive meeting and I saw an
executive dealing with a hardissue that I thought I could
help them talk through and ithad nothing to do with security
I would offer to talk it throughwith them.
If I saw an area where nobody inthe room was an expert which
often happens, I hate to say Iwould jump in.
(25:57):
I became an executive sponsorfor one of our minority employee
groups and became a championinside my last couple of
companies for diversity, becauseI realized there's no obstacle
for me stepping in and having avoice on this topic.
(26:19):
In fact, it's good for mycareer personally and I've had
so many diverse employees atcompanies say thank you for
championing diversity for us.
We're grateful and I always saywell, I don't want to admit
this, but I'm doing it for me.
By standing up for you, I foundanother way for myself to have
(26:44):
a voice on the leadership team,and it's a voice on something
that matters, and it allowed meto build bridges with people on
a hard topic that people werestruggling with in leadership
teams, and then I had a betterpersonal and deeper personal
relationship with some of thoseother executives.
Dave Tyson (27:06):
Courage is important , right?
If it was easy, everybody woulddo it Exactly.
Okay, let's move on.
So, given all of this, I'm sureyou're doing a lot of this
these days, but what's theadvice you want to give to CISOs
out there, whether you're justcoming into the business or
(27:27):
you've been there 20 years?
What's the advice for them togo forward with?
Joe Sullivan (27:32):
I think it's less about you need to be a technical
expert on every functional areain your organization.
It's more you need to be arelationship and business expert
with people outside of yourorganization.
You have to get outside thatcomfort zone.
(27:53):
You have to build thoserelationships.
You need to understand how thedifferent parts of the business
puzzle fit together.
The better you understand whatthe business is trying to
accomplish, the better you canmanage risk and the better you
can communicate about risk, andso it's not always intuitive,
(28:17):
but I think that's the directionwe need to go.
Number one.
Number two I think we need togrow up as a profession.
We need to develop some morestandards and expectations.
I help a lot of companies thatare growing quickly and I
(28:39):
typically talk to their CEO, andit's because some of their
board members or their venturecapitalists look at the company
and say, wow, there's someamazing intellectual property or
sensitive data or somethingvaluable inside the company that
needs to be protected, and theorganization's naive Talk to the
CEO, and so I'll end upspending time talking to the CEO
(29:00):
and then I'll help them hire asecurity team.
But the executive comes into it,that CEO often not knowing
anything about security andneeding someone who's ready to
be there.
We haven't mentored anddeveloped enough people in our
profession to fill all theimportant security roles that
(29:22):
are now available, and we don'thave professional associations
that provide the level ofmentoring and support that we
need.
Because the reality is, thisrole one level below this role
is very different from this role, and so you actually don't
(29:46):
really come to appreciate andsee all of the issues until
you're thrust into the role andthen you start drowning and, as
a kind of collective group ofpeople who are all kind of
swimming in the same deep water,we need to get better at
supporting each other in morestructured ways.
Dave Tyson (30:08):
You know it's interesting.
You say that because I lookback over my career and I look
at I think there's somewhere inthe neighborhood of 30 people
who've been my directs who arenow CISOs and I'm sure most
CISOs who've been around in thetime.
I have the same scenariobecause our directs and even
their directs are being pulledinto that void, that gap that's
(30:29):
in the market for years.
I mean I go back to the ClintonCommission on Critical
Infrastructure where they weresaying there's thousands of open
rules and it takes 10 years totrain somebody.
I mean I would argue it takesmore than 10 years to be a tier
one CISO.
But it would seem that this,that mentoring, that development
(30:49):
is really going.
It continues to grow inimportance, not because you're
talking about now being able tointeract in a room with the
grizzled professionals acrossevery you know securities, one
of those spaces where you knowliterally touches every aspect
of a business Right.
Joe Sullivan (31:09):
I've found at every company I've been at that
my team has a broader visibilityinto what's going on at the
whole company than anyone else,except for the CEO.
Ours is at a different levelthan the CEO's, but we're.
If it's happening withtechnology, we need to know
about it Right.
And so we know what's happeningwith technology over in the
(31:30):
marketing organization that theCIO doesn't even know about.
Or you know some Skunk Worksproject over another career,
like.
We have to know every singleone of those things and have the
have a pathway into A beinginvited to the project Right and
B being able to communicate andmanage the risk in those.
(31:54):
The challenge I see is in theleadership.
Like that step into leadership.
You have to, you have to wantto step into that leadership
because you have to push, and alot of security leaders are
really comfortable staying onelevel away from where they
(32:16):
really should be.
You've probably seen this amillion times.
There's conversations in CISOgroups.
Where do you report Right?
It seems like there's a.
There are two factions.
At the end of the day, there'sthe we should be reporting to
the CEO because this is a fullscope business risk thing and
(32:39):
the top level needs tounderstand it.
And then there's a equallylarge faction that says I don't
want to get that close to thesun, my wings will melt Right
and it's a real fear like Iwon't be able to do my technical
work.
I will be.
I won't understand 80% of whatthey're talking about in that
(33:00):
room.
It won't feel like a good useof my time and I remember the
first time I sat in an execmeetings.
I didn't understand 90% of itand at the end of the meeting I
felt like I just heard a bunchof words and didn't accomplish
anything.
Dave Tyson (33:14):
Yeah, I mean 20 years ago in this business, or
even 15 years ago, I think, at avery, very immature way to say
it.
But I was just like when they'dsay, what do you need to this
job?
I said, go get an MBA.
Like it's not a technical skillset.
I mean, yes, you could hiretalent in technical, but you
need to understand every aspectof the business, and not that an
(33:37):
MBA is be all end all anymore,but but it's you have to
understand it.
I I now think you know, yeah,that's that's table stakes to me
in this role.
Now we should have a law degree, an MBA and possibly a social
worker degree to be able to talkpeople through, talk them down.
I think.
Joe Sullivan (33:55):
I think you're spot on on the business.
I had 2019, I partnered withsomeone from Stanford Business
School and we did a mentoringprogram for a group of first
time CISOs and I came up withthe idea because at some point I
think in 2018, I startedthinking I've acquired.
I was talking to someone who'dgone to business School and I
(34:16):
was like, oh, what are you doingin business school?
And then we ended up havingthis long conversation, walking
through each of the classes, andat the end of it I said I I
think I have an MBA throughexperience, because everything
you've talked to me about yourclasses is stuff that I've been
in those business meetings for.
And so I created this trainingprogram business for security
(34:42):
leaders and we mentored a groupof security leaders Fantastic,
and they ate it up because theywere able to ask questions and
process it and think about itand they could relate to
specific meetings they'd been inbefore but not really
understood the language.
Dave Tyson (35:01):
There's a definition out there that I've been
struggling with and I'd love toget your perspective on, and
that is the word breach.
What constitutes a breach?
I think there's.
You know, there's a regulatoryview, and I think there's a
number of regulatory views ofwhat that means.
Then there's, I think, maybedifferent legal definitions, but
(35:23):
it seems to be one of thosemurky areas now that that causes
pain, because at a technicallevel, I would say that there
are some people who will saythat breaches happen every
single day, at every company.
Depending on your view of whata breach is, what are your
thoughts around what that legaldefinition or that regulatory
(35:44):
definition, that organizationsI've even heard companies say
you can't use the word breach.
Joe Sullivan (35:50):
Yeah.
So I think of it the same way Iwould think of any other
technical specialty.
We wouldn't ask someone whodoesn't know how to code to you
know, go work on the software,and to me that's legal
(36:11):
terminology where we need tohave an expert in the room, and
I don't think any securityleader should try and become
that expert themselves.
I felt like after my case kindof first splashed into the news,
there was a lot of that runningaround and trying to figure out
(36:33):
how do I memorize everypermutation.
There's no possible way.
If you run security for amultinational organization that
has customers in Europe and Asia, forget it.
I mean, in every company I'veworked at we've had customers on
every continent and probablyhundreds.
(36:56):
You know over 100 countries.
So there's no possible way thatI could know what our
obligations are aroundengagement with government.
The thing that the moreimportant thing for the security
leader in my mind is tointernalize, something even more
(37:19):
scary than trying to memorizeall that stuff, and that is, if
you look at my case and what thegovernment was really upset
about, what the judge was upsetabout even at the sentencing,
was the totality ofcommunication by the
(37:40):
organization about security at ahigh level and then the minutia
at a low level, and I thinkthat's a great expectation that
some people at the company willunderstand all of those
obligations and make sure thatthey're happening accurately.
(38:00):
We don't have dedicated peopleon our team in security that do
that.
We count on other teams to dothat, and so, oh, there's been a
lot of conversation aboutsecurity leaders, like
employment contracts.
What should they have in theiremployment contract?
(38:21):
Everybody wants to talk aboutD&O, insurance and stuff like
that.
I think more importantly wouldbe to have a commitment from the
company to have the resourcesyou need to do your job and
where there's risk like this.
So, getting back to somethingwe were talking about earlier, I
want the company to commit,have dedicated attorneys who are
(38:43):
expected to be experts in theseareas, who are effectively on
call, because, as you know, mostof our security incidents
happen on Friday night, on aholiday.
Yes, if it's a three-dayweekend, you're going to have a
problem and we need to have alawyer there with us, but we
also need to have acommunications person who
(39:05):
understands this space too, andmaybe you need to have outside
counsel committed to, which isanother layer of cost that
companies balk at sometimes, butyou've got to insist on all
those things because it's goingto be a team process.
And why do I say that thesecurity leader needs to care
about that?
Because if you look at thesituation related to solar winds
(39:30):
right now and you compare itwith my case, you'll see.
There's one specific factualthing that struck me.
I was able to hear the CSO fromSolarWinds talk about his case
and where it's at, and my numberone takeaway from that was that
(39:52):
his company had done a lot ofcommunication about security to
the government and a goodpercentage of it he hadn't
personally seen.
And in my case, my lawyersactually had a slide that showed
all the communications with thegovernment and the
communications with thegovernment that I had seen, and
(40:13):
it was a small subpart that Ihad seen, and in the same way
that a person on the other.
If you step back and youstopped a person on the street,
a person who might be a juror inyour case, and you said, hey,
this company has a securityissue and they have a head of
(40:36):
security who should be,responsible, the person on the
street.
They'll be like the head ofsecurity they screwed up.
And then the head of securitywould say but wait, I'm just
like one little part of this bigmachine that spits out an
outcome and nobody cares, andit's the same thing.
(40:58):
Okay, the company saidsomething.
You're the person on the street.
The company promised me goodsecurity and promised me that
everything was okay.
Oh, and there's a person insidethe company called the head of
security who should be on thehook.
It's the person.
I guess the question is howmuch are we as security leaders
(41:23):
paying attention to all thethings our company is saying
about security in all thesecontexts?
I've been a public company andsometimes I've seen the 8Ks and
the 10Ks that the lawyers havesought me out and said hey, it's
.
Usually they would seek me outand say we're changing the
language and we wanted to run byyou and I'll look and be like
(41:43):
well, I never saw V1.
How many years have we beensaying that?
And so, and maybe like, whatpercentage of security leaders
know what an 8K and a 10K is?
Dave Tyson (41:56):
Or where's the comparison?
You look at the language that'sin those and I've reviewed a
lot, I've written a few and it'salways the standard stuff.
We use best practices, we havean outside firm that tests these
things, but there's very littlerelationship between that and
the day-to-day realities ofsecurity in an organization.
I mean, that's a nice generalhigh-level feel-good statements
(42:20):
and I think that that's the kindof stuff where there's a risk
of reality and the regulatory tobash into each other at some
point.
Joe Sullivan (42:33):
Yeah, there's one other layer to this that I've
been thinking about, which isI'm lucky in some respects right
now that I have a differentperspective, which is I'm not
working from inside one company,I'm doing consulting and
advising to a number ofdifferent companies, and so I've
(42:53):
been watching as there aredebates about new, different
policies.
The federal government willrelease a statement saying we're
thinking about banningransomware, or we're thinking
about this and or we want topass regulation requiring that
makers of software haveliability for that.
And I was thinking whose voiceis heard when the government
(43:20):
says that and gives themfeedback on it?
The companies that we work foroften have a very strong opinion
on the regulation, and thestrong opinion is usually we
don't want more regulation.
And so that goes back to thething I was talking about, where
we could live in a world ofregulation by enforcement or
(43:42):
regulation by rulemaking.
If you're the person who'ssupposed to drive the car,
between the lines, the securityleader which world do you want
to live in?
You want to live in a world ofrulemaking, so you might feel
very differently than yourcompany about what rules the
government should be putting out, but as security leaders, we
(44:05):
don't have a strong voice.
The only voice is our company,and we might have like if we're
some of a subset of CSOs whoactually get invited to internal
meetings about policy things wemight have voiced an opinion.
We might have said, yes, wewould like a nationwide data
(44:28):
breach law that bringsconsistency and simplicity to it
when our companies are inWashington DC throwing sand and
the engine of that type ofchange.
And so I think, as securityleaders, we need to find a
bigger voice.
We should be thinking about howto get a voice outside of our
organizations that we work fortoday.
Dave Tyson (44:51):
Joe.
Turning now to sort of wetalked a little bit before about
the relationship betweengovernment and private industry,
whether they be publicly tradedor not.
What are your thoughts on howthat relationship can evolve or
grow to be more effective?
Joe Sullivan (45:07):
I think it's on all of us to make that
relationship better, and I thinkthere are a lot of concrete
things we could do.
It's funny sometimes when Iread articles about certain
industries.
They'll describe how peoplemove between the private and the
public sector back and forthand a lot of times the articles
(45:29):
are negative about that becauseof the idea that, oh, you go
into government, you regulate anindustry and then you go out
and make lots of money and thenyou go back in and you protect
the companies you worked for iskind of the way it gets spun.
But there's a flip side to that, which is when you're in
government after you've been inan industry, you understand it
(45:51):
at a different level and youappreciate the good things and
you know where the skeletons aretoo.
And so if you're reallycommitted public servant, at
that point you have the tools todo the job better than if
you've never been in an industry.
I look at the legal profession.
(46:11):
When I got out of law school, Iwent and did a clerkship in the
government.
Most of the people who didclerkships with me went into the
private sector and they workedat a law firm for a few years.
Then they wanted to becometrial lawyers.
So they went back to thegovernment and did trials.
Then they wanted to becomepartners at law firms and they
(46:34):
went back and then maybe, ifthey were lucky, they became a
judge.
But what you had there was thepublic and a private sector that
understood each other, did ittogether, spoke each other's
language, and we don't quitehave that in security for a
(46:54):
bunch of different reasons.
People inside government I knowbecause I was there you get
attached to the idea of yourequivalent of a pension and
retirement at a certain age, andso there's the pros of the
compensation on the governmentside, but you go on the private
sector side and there'sfinancial pros too that are hard
(47:16):
to leave behind to go into thegovernment for a short period of
time, and so there's not theincentive.
I've talked to people that I'veprobably personally helped more
than 50 people find jobs in techcompanies coming from the
federal government and kind ofmentored them through that
process, and they felt that whenthey were making that
(47:41):
transition out of governmentthat they were not shunned but
looked down on and the idea ofthem being invited back into
government they felt like itwasn't going to happen for them.
So that's kind of like onedynamic that undermines that
back and forth.
A second thing that underminesit is the government and the
(48:05):
private sector don't use thesame frameworks for managing
risk, don't use the sametechnology for running their
organizations, and so if you'rein a security leader is supposed
to be technical in terms ofunderstanding their environment,
and if you've never operated inan environment like the private
(48:27):
sector and you've only operatedin a technical environment in
the government, there's anotherreason you don't speak the same
language.
And so we have this Tower ofBabel situation, where you've
got these lots of differenttypes of private sector
organizations and lots ofdifferent government
organizations trying to figureout and are collectively
(48:49):
responsible for the safety ofthe citizens.
Dave Tyson (48:53):
So is there anything specific you can think of that
we could do to evolve that fromhow the government is able to
how we can partner togetherbetter?
I wonder, because today we haveregulatory frameworks, we have
some best practices, we have afew of those things, but the
(49:14):
bugbear in the room has alwaysbeen information sharing.
That's been a tough one.
There's been a lot of debate.
I think that the governmentcontinues to try to do the right
thing there because they have atest that have to balance.
Obviously, you have to controlsources and methods, but is
there anything else that we cando to evolve that public-private
(49:37):
partnership?
Joe Sullivan (49:40):
There's a lot and I will say that there's been a
lot of progress, I think, in thelast decade and fits and starts
.
Last year I was the CSO atCloudflare and, even though my
case was pending and going to goto trial, I was still in
(50:04):
meetings, working hand-in-handwith senior people from
Department of Homeland Securityas we dealt with Log4j, as we
dealt with the full-scaleinvasion of Ukraine in February
2022.
And there were intentionalcollaborative efforts by the US
(50:25):
government to try and engagewith the technology platform
companies that could help andhad visibility into what was
going on, and those are veryproductive collaborative efforts
Interesting right now.
I know that I really enjoyedthose collaborations.
But now there's talk of and Iguess it's got subpoena
(50:49):
authority in some context, butnow some security leaders are
saying wait a minute, I'msupposed to go in, open the
kimono and talk to these peoplewho are going to be regulating
or investigating me.
It creates a bit of a funkydynamic there when you're
thinking about partnership,Right.
Dave Tyson (51:09):
When you think about the I'll call it the diversity
in regulations that exist outthere.
One person's opinion I've seenfive or six government entities
over the last couple of yearstake a broader stance in
regulating the cybersecurityspace.
We've seen this with privacy.
(51:30):
Obviously this has been a bigdeal.
But the FCC, the SEC, there's anumber, even the Department of
Energy, tsa all trying to do theright thing.
Do you think there might be abetter model or some way to be
able to articulate whatorganizations should do without
(51:52):
having to create another newframework or another new
regulatory body or another newset of rules that would
encourage businesses to want todo the right thing?
Joe Sullivan (52:05):
Yeah, it's funny.
I think there's a saying we usea lot in security, which is
complexity is the enemy of goodsecurity.
Our good security starts withsimplicity.
I would submit that the samewould be the case for regulation
the easier the rules are tofollow, the more likely they're
(52:26):
going to be followed.
I do see that differentregulators bring different
issues, because each regulatorcomes to the situation with a
different mission.
They have a different drivebased on who they are and who
(52:50):
they represent and who they'resupposed to protect.
A good example of that islooking at the world of privacy
at a very simple high level,comparing how the European
regulators approach privacyversus US regulators.
You probably say well, who isthe US regulator on privacy,
(53:12):
which state?
And so there's a lot ofdifferent stuff and California
has stepped up and done a lotrecently.
Other states are doing thingsand the federal government would
probably say there are someprivacy laws in different
contexts.
But from the side of someonewho sat inside companies that
(53:37):
were regulated on privacy, itwas good to have different
regulators who had differentperspectives.
I just wish they talked to eachother and put it in a single
framework and spoke in a singlelanguage to us.
Dave Tyson (53:53):
Well, I think what it does is it forces companies
to from my personal experiencewhatever is the most strict.
That's what we're going toapply to everybody, for the
simplicity concept.
If we have to meet somethingthat is onerous, at least it
will be the same for everywherewe can.
Joe Sullivan (54:10):
The challenge is that's not always the most cost
effective to do it that way, andthe regulator who came up with
the most strict might not be theregulator who understands the
industry best and is trying tobalance supporting businesses
growing in their local economywith risk management.
Dave Tyson (54:33):
Looking back at this conversation, I wonder do you
think that the role of the CISO,as it relates to management or
the board, has changedfundamentally?
Joe Sullivan (54:47):
I do.
I think it has grown into amuch more important role.
Its growth is tied to thegrowth of technology in our
society.
Twenty-five years ago, youdidn't need to have an expert on
the board and in the C-suitewho could explain the downside
(55:09):
risks to your customers in theworld and the expectations that
they have on the organization.
Now every organization needs tohave both.
Dave Tyson (55:23):
I was present at your sentencing and heard what
the judge said about where isthe CEO.
I wonder if that message isgoing to be heard loud and clear
in terms of not only awarenessbut change.
Do you think that this is thebeginning of that journey for
(55:48):
CEOs and for executive leaders?
Joe Sullivan (55:51):
I do.
I think that the SEC guidelinesare a really good next step.
I was talking to some CISOsrecently and I said, and this
topic came up and they said, oh,they're planning on going to
(56:12):
their board and explaining thisnew stuff from the SEC.
I said why are you explainingit?
Why don't you ask your generalcounsel to explain it?
They're the experts on the lawand regulation.
By the way, it would be betterfor you personally if it's
someone else explaining itrather than you.
Sometimes it feels a littleunfair to the security leader
(56:35):
that they're not just the personwho's supposed to go do the
substantive job, they're the onewho's supposed to explain that
the job needs to exist.
Explaining that the job needsto exist feels like you're being
a squeaky wheel.
We should be the squeaky wheelabout the substantive security
(56:57):
risk.
Okay, we need to dedicate someresources over here, but you
having the resources to go findthe problem shouldn't have been
something you had to fight for,but it too often still is.
Dave Tyson (57:12):
So now, joe, thinking about the case which
you've been through all of thethinking you've probably done on
this over the last while, howdo you think about this
differently?
How do you think about whatthose key messages are to both
CSOs, to management and even tothe board?
Joe Sullivan (57:36):
Well, I think let's take each group
individually.
I think for board members areally important question that
they need to ask themselves isam I getting the full picture?
Am I getting unvarnished truth?
Do I think that the company hasthe resources to actually get
(58:00):
to the truth and team that'sfunded to get to the truth?
And then, do I trust the truththat they're giving me?
I'm sure board members think inall contexts I'm getting a very
polished presentation that hasbeen tailored to make me feel
everything is perfect except forvery specific things.
(58:22):
So I assume board members aretrained in how to dig.
They've got to learn how to digin this new area and I don't
think it's easy.
I do a lot of going insidecompanies and looking at their
security posture and I've beendoing security for a long time
(58:45):
and I've run large teams insidelarge organizations doing
security, I think, very well.
But I couldn't figure out infour hours whether a company is
doing security well.
I don't think I could figureout in 10 hours whether a
company is doing security well,and so that means the board
member needs to have some ofthat independent ability to
(59:08):
figure out is the company doingsecurity well?
But also the company hasprocesses to kind of surface and
deal with risk in a way thatthey feel confident that things
are getting surfaced to them.
Dave Tyson (59:21):
Do you think that boards need to have their own
independent advisors on thistopic?
Joe Sullivan (59:31):
Most of us.
When we're running our ownsecurity team, we don't just
listen to our own team, we bringin outside auditors.
A lot of us are required tobring in outside auditors by our
customers.
So I'm sure when you, everyorganization that you've run,
(59:53):
you've had a vendor securityprogram where you scrutinized
your third parties and you madethem get third party auditors
come in.
It's a sad truth, but securityis complicated and having
multiple eyes look at thingsusually leads to better outcomes
.
Dave Tyson (01:00:12):
So what about the other audiences here?
You've got the management team,the CEO, a senior exec team and
you've got the CISOs.
Joe Sullivan (01:00:20):
Well, hopefully, the rest of the management team
is starting to realize twoimportant things.
Number one security presents areal risk to the business, and
so everyone on that leadershipteam is invested and has one
goal the success of the business.
And so security is one of thethings that if the brakes stop
(01:00:43):
working on the vehicle, you'renot going to start the vehicle
because it can't stop.
So they need to be supportiveof investment and security.
And that's a challenge becauseevery leadership team gets a
certain amount of money and theywant to spend, and it's always
a debate between what do wespend on growth of the business
(01:01:05):
and development of customers anddevelopment of products versus
management of risk.
But if you're looking at itholistically, with the right
approach, then you're going toallocate your budget to both
sides appropriately.
So that's part one.
And then part two for them isthey're personally on the hook
now in ways they weren't before.
Dave Tyson (01:01:25):
Yeah, yeah, all right, let's close out with the
CISOs.
Joe Sullivan (01:01:30):
Yeah, and for CISOs.
I want every CISO to step upand become a company leader.
I am sorry, but they have tocarry that weight of advocating
for and insisting on the rightresourcing and they have to do
the substantive job.
(01:01:51):
They need to be part of theexec team.
They need to be part of theteam that makes the decisions
every day about how the businesshas run.
They need to keep pushing to bein that room.
I think some CISOs are pushingto be on boards too, and that
will be great because then theywill really see holistically how
(01:02:12):
multiple companies run.
And that's really uncomfortablefor most CISOs who come from
the technical ranks who, whenthey got into those technical
ranks, thought of this as aprofession that had a certain
ceiling.
And now we're telling them thatwasn't the ceiling, that's the
floor and they got to step upand no one's holding out a hand
(01:02:35):
to pull them up.
They just have to jump up there, yeah.
Dave Tyson (01:02:39):
You said earlier that you're out doing consulting
for different firms.
I'm sure your advice isimmensely valuable from your
experiences.
So what's next for you?
Joe Sullivan (01:02:51):
So I do a half-time non-profit work.
I'm the CEO of a non-profitthat provides humanitarian aid
to people in Ukraine.
We've done a lot of differentthings as the kind of war has
evolved.
Right now, a big focus for usis helping kids who are in
remote school in Ukraine.
(01:03:12):
So in a country of 40 millionpeople, half the kids have
remote education still.
So they had remote educationduring the pandemic and then
when our kids got to go back toschool, theirs didn't because
the war had started, and sothese kids have been in remote
learning for years, and it'sjust a tragedy.
(01:03:33):
So I've been partnering with abunch of different companies to
take their used laptops over sothat the kids can use them,
because of all those kids whoare in remote learning, half of
them don't even have a laptop.
They don't even have a computer.
They're borrowing something offin their parents' phone to do
remote learning, and so one ofthe cool things is that I've
(01:03:54):
been able to get a lot ofcompanies to look and figure out
what do we do with our usedlaptops and then plug my
non-profit in and we'll shipthem over, make sure they're
cleaned and wiped and safe andall that stuff first, of course,
every single company that'sdonated a laptop has been a
company that I was connected toby a security leader of that
(01:04:17):
company.
So we talked a little bit aboutthe network of security leaders
in the world.
It's a very caring group.
Security leaders seek eachother out partially for
commiseration and moral support,but partially for learning.
(01:04:40):
I mean, the reality is, whenyou get in that security leader
role, everyone above you thinksyou know the answer and
everybody below you thinks youknow the answer.
You know the answer, and soyou're afraid to show that
weakness to anybody.
It's hard to say I don't knowthe answer to your team, and
(01:05:00):
it's hard to say I don't knowthe answer to your CEO.
And so who do you turn?
To your peers?
Dave Tyson (01:05:06):
It's so funny.
I got to tell you the story.
So I joined eBay in October of2007.
I had been in the industry along time, you know, in Canada
mostly, but I just moved to theUS and one day my boss, dave
Collinane, who I'm sure you knewquite well, comes along and I'm
throwing all of my securitybooks into the trash.
(01:05:28):
I had quite a library I wasproud of.
And he said what are you doing?
I said well, I'm throwing allthese books out.
And he said well, why?
I said because everything I'mexpected to do here hasn't
happened yet and there's nothingin these books from the past
that prepares me for that anybetter.
And that's how I sum up theexperience of being a CISO.
(01:05:51):
So often it's the next newthing, the next new technology,
the next evolving problem, andyou have to be good at dealing
with the uncertainty Right.
I say you know, being a CISO islike you know, getting 10% of
the information you need andmaking career ending decisions
(01:06:11):
all day long.
Joe Sullivan (01:06:13):
It's not easy.
Dave Tyson (01:06:15):
So back to your organization.
If folks who see this want tobe involved, can they donate
laptops?
Is there a place they can dothat?
Joe Sullivan (01:06:23):
Absolutely.
Our website's ukrainfriendsorg.
You can send an email to infoat ukrainfriendsorg and it'll go
to me, and we only have twoemployees in the United States
one who's paid and myselfvolunteering, and the rest are
all over in.
Poland and Ukraine.
We have warehouses over thereand we ship things over.
We also ship over medicalequipment, blankets during the
(01:06:44):
winter, you name it.
Dave Tyson (01:06:47):
Excellent.
Well, we'll make sure thatmessage gets out there.
Thank you for your time today,Joe.
It's been really great.
Thank you Appreciate it, thanksfor having me.
Mark Havenner (01:07:00):
This has been Executive Cybersecurity with
Dave Tyson, a production ofApollo Information Systems.
Visit us at Apollo-IScom or, ifin Canada, apollo-isca.
Thank you for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.