In a time when the regulatory landscape is evolving faster than ever, Joe provides invaluable insights for organizations to stay up-to-date with navigating the perilous landscape for security leaders. Drawing from his extensive experience training law enforcement across the globe, as well as his personal experience around the legal fallout of the Uber data breaches, he highlights the importance of regulators keeping up with the latest technologies.
Joe lays emphasis on the need for security leaders to effectively communicate technical risks to non-tech-heavy audiences, firmly establishing themselves as trust-builders within their organizations.
Joe talks about the symbiotic relationship between the public and private sectors in cybersecurity. He underscores the challenges in transitioning between these sectors and the crucial role of information sharing and standardized risk-management frameworks.
In a time when the regulatory landscape is evolving faster than ever, Joe provides invaluable insights for organizations to stay up-to-date with navigating the perilous landscape for security leaders. Drawing from his extensive experience training law enforcement across the globe, as well as his personal experience around the legal fallout of the Uber data breaches, he highlights the importance of regulators keeping up with the latest technologies.
Joe lays emphasis on the need for security leaders to effectively communicate technical risks to non-tech-heavy audiences, firmly establishing themselves as trust-builders within their organizations.
Joe talks about the symbiotic relationship between the public and private sectors in cybersecurity. He underscores the challenges in transitioning between these sectors and the crucial role of information sharing and standardized risk-management frameworks.
You are listening to Executive Cybersecurity with Dave Tyson. Welcome to season two of Executive Cybersecurity. In this season's inaugural episode, dave is speaking with Joe Sullivan, former CSO of Facebook, uber and Cloudflare, and who was the target of a federal prosecution for Uber's 2016 data breaches. Joe is now CEO of Ukraine Friends, a non-profit focused on humanitarian aid to Ukraine.
Dave Tyson:Well, joe, thanks for joining us today. I really appreciate you taking the time. I know you're a busy guy. Maybe we can just start for background for some of the folks who will see this, maybe give a little history of your career. I know you started out in law enforcement, or maybe even before that. Can you take us through the?
Joe Sullivan:journey. Sure, I guess I knew from the beginning that I wanted to go to law school and then get out of law school and work for the government. While I was in law school I did a volunteer internship with the US Department of Justice and then I applied to the Department of Justice for the only path into the federal government Department of Justice straight from law school an honor law grad clerkship. It was a one-year clerkship with the Department of Justice. That was my first stop out of law school. I then went and worked at a law firm for a couple of months which validated for me that the government was the right path and reapplied and got back into the Department of Justice and spent another seven years there, culminating in the second half of that time all getting to work on high-tech crime.
Joe Sullivan:Back in 1995, I was the person in the Department of Justice who was convincing everyone to give me a connection to the internet from my desk. They actually gave me one, I think in 1996, but it was not. I had to use a separate computer and it was a direct line out and it wasn't allowed to connect with anything inside. So I could access the internet from my office to do research, but I couldn't kind of mix computers, so to speak. Then in 1997, I got a chance to become what's called a computer and telecommunication crime coordinator, which is what they called the first set of federal prosecutors who were trained to specialize in high-tech crime.
Joe Sullivan:From there, in the beginning of 2000, I became a full-time federal prosecutor here in Northern California was actually based in the San Jose office right down the street, and I was one of a group of people who were selected and the first federal prosecutors who were dedicated full-time to high-tech cases.
Joe Sullivan:We called it the CHIP unit Computer Hacking and Intellectual Property and I did that until 2002. I was recruited to eBay and stayed at eBay until 2008, if you count my time on the PayPal side of the house, got invited to go over to Facebook in 2008. Was there until 2015 when I was invited to go to Uber. After two and a half years at Uber, I went to Cloudflare and I was the CSO at Cloudflare, I should say. For when I went to eBay I had a hybrid role that was kind of half legal and half trust and safety slash security, and that was my real kind of introduction to doing it on the corporate side. At Facebook, I became the company's second chief security officer and was there from when we were smaller than MySpace to a over a billion user public company.
Dave Tyson:It's an amazing journey. As security professionals, we often joke about having to break in our lawyer when we get to a new CSO job and you have the opportunity to have the best of both worlds. You understand the law and certainly led from the front in a number of things. I remember watching from afar at Facebook where you took out a full page ad in the newspaper to talk about the issues and obviously you've helped on good, solid legal ground to do that and I think that's a great combination of skills. You don't see it every day with people who have both a law degree and prosecution experience and leading the front from a cybersecurity perspective.
Joe Sullivan:Yeah, it's interesting. The thing I try and remind people, though, is, in the same way, that not every engineer is good at every type of engineering, not every lawyer is good at every type of lawyering, and, like any trade, if you put down the tools, the skills fade quickly. So I think, in terms of when I got away from practicing law, I still understood the complexity of it, and one of the things that I always advocated for at every company and, generally speaking, in God, was having specialist lawyers hired and assigned to work with my security teams. A lot of times at an early company, they'll have why would we need a specialist lawyer in an area like security, and it was complicated then. It's 10 times more complicated now in terms of the legal landmines that exist.
Dave Tyson:We had the opportunity to briefly work together at eBay and I know you worked on a lot of stuff there and I gathered from watching from a distance that you had the opportunity to train other lawyers in other places about how to prosecute these types of crimes. How would you say that the profession is evolving in terms of their understanding of what the issues are and the ability to provide great advice to organizations?
Joe Sullivan:Yeah, I think that's a really good question. In some ways, it's a lot like the legal side that supports us and the other areas that support us in the world of security. They're evolving at the same pace that security is, and security is evolving tremendously quickly right now in terms of the role, expectations, the breadth of understanding you need to have. When I get together with large groups of security executives now, or small groups, the conversation over the course of a day is shockingly broad. We're talking about very technical things related to the latest attacks, and then we're talking about legal issues related to liability of ourselves. We're talking about legal obligations of our companies, regulatory obligations of the organizations we work with, but then we're also talking about finances and how to manage budgets, how to manage vendors and then, on top of that, how to manage up and engage with boards and other kind of executives.
Joe Sullivan:And if you look at our profession, it didn't really exist 20 years ago. In the same way, I think when I became the CSO at Facebook, most of the people who were my peers were kind of like mid-level inside their organizations, many layers down from the top leadership of the company, and that was viewed as kind of like the peak and you were expected to be a hands-on technical leader. Flash forward 15 years and you're now expected to be able to sit in a boardroom and talk about every subject that comes up in the boardroom when we talk. When a lot of security leaders raise their hand and say, can I be a board member or executive at that level, or why am I not a board member, the answer is really because you don't have the experience that a board member has thinking about all the issues that an organization needs to handle. The goal is a boardroom should be a group of people who are collectively thinking about and discussing at a high level every single issue for that organization and there are no one-trick ponies in the room.
Dave Tyson:One last question on this line before we move on. What do you think about the relationship between the board and executive management around this responsibility for cyber? It seems like it's evolving and I wonder how well that's understood.
Joe Sullivan:It's interesting, I think, that security leaders for a long time have been asking for and trying to figure out how to get board and top level focus on security and now that we're getting it, it's stressing us out again. So it's like it used to be 10 years ago when the security executives got together the talk was like how do I convince my company to give me board time? How do I? Okay, I got the board time. Now what do I say? And now it's the board wants regular updates, regular engagement, communication that they understand and they want some training too.
Joe Sullivan:So it's evolved fast and remember, the people who are now appearing in front of the boards were the people who thought the pinnacle of their profession was going to be far from that 10 years ago. So maybe they chose the profession because it was comfortable in terms of like they weren't going to be at that level. Like I remember back when I was at eBay and we had a great slate of top leadership at the company and I would watch people like Maynard Webb or Meg Whitman and Mike Jacobson, the general council, who I can see Meg always looked at as a business leader as much as an attorney, and you just look at these people and you think, oh, I'm not ever going to operate at their level someday, and so I'm just, I'm cool being down here. And then next thing you know, you're actually in meetings with them and they expect you to communicate with them like a peer Right.
Dave Tyson:Let's talk a little bit about the environment that companies operate now, and I mean, if you look at the evolution of regulations, consumer expectations, even the legal realm obviously is. It's changing rapidly and we've seen multiple agencies in the United States for sure, and what will no doubt start to affect other places evolve. Most recently, a number of organizations have got, whether it be the SEC or others, have gotten into the regulatory game. There's legal precedent, cases that are constantly being pushed now Even what I might refer to as activism at the state level in some of these spaces. What do you think about that evolving landscape in terms of what the implications are for organizations?
Joe Sullivan:Well, I think it's important for every organization to understand operate within the boundaries of the law, and what we need is, in many ways, more clarity on what the rules of the road are. It's something I've thought about a lot. There was a I read this newsletter that comes I'm not sure if it's weekly or daily or somewhere in between by this journalist named Matt Levine, and last year he had a really great article on, I think, regulation in the cryptocurrency space, and I read the article and it made me think of other analogies beyond the crypto space. And what he said was and I'm not quoting directly, but I've read it a few times he said something like let me tell you a dumb, a dumb framing of how regulation works. And just, he was like trying to simplify it. He said there's two types of regulation. There's regulation by rulemaking, which is you know, when we drive down the street, we have the rules, they're very clear, we know what to do with the yellow line and what to do with the white line and which ones you can cross and when you can not cross them, and so that's regulation by rulemaking Give us the rules. If you drift outside the lines, you're in trouble. And then he said there's a.
Joe Sullivan:What we're seeing so much lately is regulation by enforcement, which is you ask for the rules, you ask for the lines, but the regulators don't give you the lines and they kind of sit back and wait and when they see something they don't like, they come in with an enforcement action. And he was talking about it in the context of cryptocurrency and that resonated with. I don't know a lot about Coinbase, but from the outside it seems like they're the one cryptocurrency company that has been trying to follow the rules and has asked for guidance and then not received it, and now are in, you know, facing a bunch of enforcement action. Right, and if you, if you think about it, it's. This is happening in the cryptocurrency space because it's fast evolving.
Joe Sullivan:It's hard to understand from outside the industry, regulators don't have a lot of experience in it and consumers jump into it and then consumers get hurt and so regulators, if they're not, if not on the ball, we end up in that world of regulation by enforcement, and it seems to be happening right now in the AI context. There maybe there's actually more conversation and discussion about regulation up front, but it almost feels like it's too late for those of us who've worked inside companies that have been using machine learning for over a decade, right the, the public debate is only happening now because one product chat GPT was launched. That kind of like shocked the whole rest of the World into awareness of what, about what's been going on right, and so the question is you know, are we get in AI? Is this a chance for regulators to actually get ahead and have regulation by rulemaking?
Joe Sullivan:In the world of internet in general, this has been the story of the last 20 years Companies get out ahead of government understanding, consumers get hurt, regulators come in with enforcement, and I think it's important for everybody to kind of like think about regulators that way that they're not. They need, they need to be engaged proactively, they need to have visibility into the new technology, they need to understand the implications of it, and there need to be people inside the companies that are trying to engage with them and explain the risks and the opportunities.
Dave Tyson:You know, what you said makes a lot of sense, but it also triggered a second thought. When I was at the city of Vancouver, we were preparing for the Olympics and there was a lot of Topics that we were tackling. One of the one of the Lawyers who worked there made a comment to me that said we're tackling a lot of new technologies, were tackling a lot of things, and you know the regulators, that even some of the senior judges you know weren't born digital, they were born analog. There's a lot of gray hair at the courthouse. There's a lot of gray hair in in the regulatory framework. You know leadership and and I wonder if now that was a while back, but I wondering if you think that now the, the technology, is better understood or the how it's used is better understood by those who make the rules.
Joe Sullivan:Well, I think it depends. I've, you know, over the course of so many years at so many different companies, I've had the chance to go around the world and I've trained law enforcement in probably 25 different countries and I think even just at eBay. I went to 47 of the 50 state capitals to try and engage and explain To law enforcement and to other regulators how to go. Like we at eBay, we wanted the government to give us the rules for what we should allow to be sold on eBay and whatnot. And we, because we're dealing with a two-sided marketplace we wanted the sellers to know that if they defrauded a buyer, we were going to bring a case to law enforcement. We were eBay was pretty aggressive in that context. We wanted the buyers to know that we had their back and we wanted to know the sellers. We wanted the sellers to know that we were going to hold them accountable.
Joe Sullivan:Because if you remember the early days of eBay, before PayPal and in Billpoint really took off, it was Literally see something you like, put cash in an envelope, mail it and hope that the stuff showed up. We're and I remember telling my mom about, like that's the business model of the company I'm going to work at and she thought that's crazy. But the reality is most people like we used to say it, but most people are based basically good, and so most of the time the transactions were happening and they were amazing. But then the bad guys, you know, see the opportunity and they move in fast and we had to be aggressive against them.
Dave Tyson:So let's change gears. But how is your experience, as you've been through all of this obviously what you've been through most recently, you know, in the legal system how is this reframed? Your thinking about how executives should think about cyber security and and the responsibilities that come along with that?
Joe Sullivan:yeah, well, there was, there was. There's one thing that stuck with me and that I've told a lot of security leaders Was the biggest gift to them from my case, and that's this At the sentencing hearing, the judge said Two things very clearly to an audience bigger than me. The most important thing he said was where's the CEO and the company? He put the government, he put the government prosecutor in the hot seat right for a few minutes and he said From where I sit, the CEO is Equally, if not more, culpable, because the judge had seen in my case that Throughout the whole investigation, throughout all the decision-making process, everything we did we ran, everything was documented.
Joe Sullivan:We followed the playbooks, we followed the guidance from legal. We ran it all by the CEO and and so the question was where, where's the CEO? Right? And that's the reality of what happens inside a corporation. We don't operate in a vacuum insecurity. We don't just go sit in the corner and get to make decisions. Everything we do is Just, in the same way that the person who runs marketing doesn't just get to put out ads they they have there. There has to be a collaborative process and feedback and Everybody and the leadership team who needs to be plugged in on a particular decision gets plugged in, and then the CEO makes those ultimate decisions, and so the the question for the government and the next case is going to be where's the CEO?
Joe Sullivan:So I think that's an important one, because on the outside and this is something that how do I say this a Lot of security leaders are very frustrated that their inability to Get their desired outcome in situations inside their company Amen. They feel like they're, you know, shouting into the wind, sometimes about risk, and this Statement by the judge is a gift to those people. Now they have to be careful not to cry wolf right, but it is a huge opportunity To drive awareness, and this isn't the only recent case where that that signal has been sent about. All the executives that are part of running the company need to be involved, and and all the board members too, there, there have been and I haven't kept up with all the details, but there have been quite a few cases where board members have been named In different ways.
Dave Tyson:Well, you look at the, they went after the SolarWinds board, right, they weren't successful in that particular case, but you've seen executive liability. I mean, they, they went after the McDonald's HR person, they've gone after others and and in some cases they have gone after the CEO. The drizzly case comes to mind, right, but yeah, I think that's. It's very true. I just wonder about you, know, what would be your thoughts in terms of that relationship between the security leader and the leadership? It seems to me that they're gonna have to Articulately Make that case to say, hey, this needs to be. You know, this is a business risk, yep, not a technology risk, and we need to manage it like that, whether In my world, it would be great to make the business or the risk security decision.
Joe Sullivan:When you make the business decision Right and acquire something, you're gonna engage in a new tack, you're gonna build something new so I think there's two sides to it, like every conversation, and Each side has some responsibility in making sure that the right conversation happens. I haven't been on the board side, but I've been on the security leader side and I've talked to a lot of security leaders about it and I don't think security leaders Can be let off the hook. I think we have a lot to do and that's I spend a decent amount of my time now Talking to security leaders about that and and working through situations with them. First, I would say, at a high level, security leaders Can't be that one trick pony. They're not invited to the room because they're the technical expert. They're invited to the room because they can translate that technical issue to a non-technical audience in a way that they understand the risk. That's number one. But number two they need to be a person who's communicating in a trust relationship with those other leaders. If you are part of a team that does hard work and makes difficult decisions on a daily basis, you build a level of trust and relationship that gives you credibility when you say this is really important. And most of our security leaders don't spend enough time on that, and I learned it when I was at Facebook.
Joe Sullivan:When I became, I was promoted to the VP level. I was given an executive coach, and she said to me one thing that stuck with me a decade later, that I remember and I've shared with a lot of people, which is she said you spend 90% of your time down facing with your team and 10% engage with the other executives. She said a good executive spends 50% of their time engaged with the other executives. You need to build a leadership team within your organization that's strong enough that they only need 50% of your time, because the company needs you to spend 50% of your time with the other executives. And I remember thinking, well, what am I going to talk about? Because I don't think I just want to go hang out. If I go hang out with the CFO, they don't want to talk security with me all day. They want to talk about finance. They want to talk about their problems. If I go hang out with the head of HR, they want to talk about their problems. If I go talk with the head of business, they want to talk about their problems.
Joe Sullivan:And so that was a real journey for me and I think for a lot of us you have to actually be able to go talk to those other executives about their problems and help them, and so I looked for different pathways.
Joe Sullivan:To like, if I was sitting in an executive meeting and I saw an executive dealing with a hard issue that I thought I could help them talk through and it had nothing to do with security I would offer to talk it through with them.
Joe Sullivan:If I saw an area where nobody in the room was an expert which often happens, I hate to say I would jump in. I became an executive sponsor for one of our minority employee groups and became a champion inside my last couple of companies for diversity, because I realized there's no obstacle for me stepping in and having a voice on this topic. In fact, it's good for my career personally and I've had so many diverse employees at companies say thank you for championing diversity for us. We're grateful and I always say well, I don't want to admit this, but I'm doing it for me. By standing up for you, I found another way for myself to have a voice on the leadership team, and it's a voice on something that matters, and it allowed me to build bridges with people on a hard topic that people were struggling with in leadership teams, and then I had a better personal and deeper personal relationship with some of those other executives.
Dave Tyson:Courage is important, right? If it was easy, everybody would do it Exactly. Okay, let's move on. So, given all of this, I'm sure you're doing a lot of this these days, but what's the advice you want to give to CISOs out there, whether you're just coming into the business or you've been there 20 years? What's the advice for them to go forward with?
Joe Sullivan:I think it's less about you need to be a technical expert on every functional area in your organization. It's more you need to be a relationship and business expert with people outside of your organization. You have to get outside that comfort zone. You have to build those relationships. You need to understand how the different parts of the business puzzle fit together. The better you understand what the business is trying to accomplish, the better you can manage risk and the better you can communicate about risk, and so it's not always intuitive, but I think that's the direction we need to go. Number one. Number two I think we need to grow up as a profession. We need to develop some more standards and expectations.
Joe Sullivan:I help a lot of companies that are growing quickly and I typically talk to their CEO, and it's because some of their board members or their venture capitalists look at the company and say, wow, there's some amazing intellectual property or sensitive data or something valuable inside the company that needs to be protected, and the organization's naive Talk to the CEO, and so I'll end up spending time talking to the CEO and then I'll help them hire a security team.
Joe Sullivan:But the executive comes into it, that CEO often not knowing anything about security and needing someone who's ready to be there. We haven't mentored and developed enough people in our profession to fill all the important security roles that are now available, and we don't have professional associations that provide the level of mentoring and support that we need. Because the reality is, this role one level below this role is very different from this role, and so you actually don't really come to appreciate and see all of the issues until you're thrust into the role and then you start drowning and, as a kind of collective group of people who are all kind of swimming in the same deep water, we need to get better at supporting each other in more structured ways.
Dave Tyson:You know it's interesting. You say that because I look back over my career and I look at I think there's somewhere in the neighborhood of 30 people who've been my directs who are now CISOs and I'm sure most CISOs who've been around in the time. I have the same scenario because our directs and even their directs are being pulled into that void, that gap that's in the market for years. I mean I go back to the Clinton Commission on Critical Infrastructure where they were saying there's thousands of open rules and it takes 10 years to train somebody. I mean I would argue it takes more than 10 years to be a tier one CISO. But it would seem that this, that mentoring, that development is really going. It continues to grow in importance, not because you're talking about now being able to interact in a room with the grizzled professionals across every you know securities, one of those spaces where you know literally touches every aspect of a business Right.
Joe Sullivan:I've found at every company I've been at that my team has a broader visibility into what's going on at the whole company than anyone else, except for the CEO. Ours is at a different level than the CEO's, but we're. If it's happening with technology, we need to know about it Right. And so we know what's happening with technology over in the marketing organization that the CIO doesn't even know about. Or you know some Skunk Works project over another career, like. We have to know every single one of those things and have the have a pathway into A being invited to the project Right and B being able to communicate and manage the risk in those.
Joe Sullivan:The challenge I see is in the leadership. Like that step into leadership. You have to, you have to want to step into that leadership because you have to push, and a lot of security leaders are really comfortable staying one level away from where they really should be. You've probably seen this a million times. There's conversations in CISO groups. Where do you report Right? It seems like there's a.
Joe Sullivan:There are two factions. At the end of the day, there's the we should be reporting to the CEO because this is a full scope business risk thing and the top level needs to understand it. And then there's a equally large faction that says I don't want to get that close to the sun, my wings will melt Right and it's a real fear like I won't be able to do my technical work. I will be. I won't understand 80% of what they're talking about in that room. It won't feel like a good use of my time and I remember the first time I sat in an exec meetings. I didn't understand 90% of it and at the end of the meeting I felt like I just heard a bunch of words and didn't accomplish anything.
Dave Tyson:Yeah, I mean 20 years ago in this business, or even 15 years ago, I think, at a very, very immature way to say it. But I was just like when they'd say, what do you need to this job? I said, go get an MBA. Like it's not a technical skill set. I mean, yes, you could hire talent in technical, but you need to understand every aspect of the business, and not that an MBA is be all end all anymore, but but it's you have to understand it. I I now think you know, yeah, that's that's table stakes to me in this role. Now we should have a law degree, an MBA and possibly a social worker degree to be able to talk people through, talk them down. I think.
Joe Sullivan:I think you're spot on on the business. I had 2019, I partnered with someone from Stanford Business School and we did a mentoring program for a group of first time CISOs and I came up with the idea because at some point I think in 2018, I started thinking I've acquired. I was talking to someone who'd gone to business School and I was like, oh, what are you doing in business school? And then we ended up having this long conversation, walking through each of the classes, and at the end of it I said I I think I have an MBA through experience, because everything you've talked to me about your classes is stuff that I've been in those business meetings for. And so I created this training program business for security leaders and we mentored a group of security leaders Fantastic, and they ate it up because they were able to ask questions and process it and think about it and they could relate to specific meetings they'd been in before but not really understood the language.
Dave Tyson:There's a definition out there that I've been struggling with and I'd love to get your perspective on, and that is the word breach. What constitutes a breach? I think there's. You know, there's a regulatory view, and I think there's a number of regulatory views of what that means. Then there's, I think, maybe different legal definitions, but it seems to be one of those murky areas now that that causes pain, because at a technical level, I would say that there are some people who will say that breaches happen every single day, at every company. Depending on your view of what a breach is, what are your thoughts around what that legal definition or that regulatory definition, that organizations I've even heard companies say you can't use the word breach.
Joe Sullivan:Yeah. So I think of it the same way I would think of any other technical specialty. We wouldn't ask someone who doesn't know how to code to you know, go work on the software, and to me that's legal terminology where we need to have an expert in the room, and I don't think any security leader should try and become that expert themselves. I felt like after my case kind of first splashed into the news, there was a lot of that running around and trying to figure out how do I memorize every permutation. There's no possible way. If you run security for a multinational organization that has customers in Europe and Asia, forget it. I mean, in every company I've worked at we've had customers on every continent and probably hundreds. You know over 100 countries. So there's no possible way that I could know what our obligations are around engagement with government. The thing that the more important thing for the security leader in my mind is to internalize, something even more scary than trying to memorize all that stuff, and that is, if you look at my case and what the government was really upset about, what the judge was upset about even at the sentencing, was the totality of communication by the organization about security at a high level and then the minutia at a low level, and I think that's a great expectation that some people at the company will understand all of those obligations and make sure that they're happening accurately. We don't have dedicated people on our team in security that do that. We count on other teams to do that, and so, oh, there's been a lot of conversation about security leaders, like employment contracts. What should they have in their employment contract? Everybody wants to talk about D&O, insurance and stuff like that. I think more importantly would be to have a commitment from the company to have the resources you need to do your job and where there's risk like this. So, getting back to something we were talking about earlier, I want the company to commit, have dedicated attorneys who are expected to be experts in these areas, who are effectively on call, because, as you know, most of our security incidents happen on Friday night, on a holiday. Yes, if it's a three-day weekend, you're going to have a problem and we need to have a lawyer there with us, but we also need to have a communications person who understands this space too, and maybe you need to have outside counsel committed to, which is another layer of cost that companies balk at sometimes, but you've got to insist on all those things because it's going to be a team process. And why do I say that the security leader needs to care about that? Because if you look at the situation related to solar winds right now and you compare it with my case, you'll see.
Joe Sullivan:There's one specific factual thing that struck me. I was able to hear the CSO from SolarWinds talk about his case and where it's at, and my number one takeaway from that was that his company had done a lot of communication about security to the government and a good percentage of it he hadn't personally seen. And in my case, my lawyers actually had a slide that showed all the communications with the government and the communications with the government that I had seen, and it was a small subpart that I had seen, and in the same way that a person on the other. If you step back and you stopped a person on the street, a person who might be a juror in your case, and you said, hey, this company has a security issue and they have a head of security who should be, responsible, the person on the street.
Joe Sullivan:They'll be like the head of security they screwed up. And then the head of security would say but wait, I'm just like one little part of this big machine that spits out an outcome and nobody cares, and it's the same thing. Okay, the company said something. You're the person on the street. The company promised me good security and promised me that everything was okay. Oh, and there's a person inside the company called the head of security who should be on the hook. It's the person. I guess the question is how much are we as security leaders paying attention to all the things our company is saying about security in all these contexts? I've been a public company and sometimes I've seen the 8Ks and the 10Ks that the lawyers have sought me out and said hey, it's. Usually they would seek me out and say we're changing the language and we wanted to run by you and I'll look and be like well, I never saw V1. How many years have we been saying that? And so, and maybe like, what percentage of security leaders know what an 8K and a 10K is?
Dave Tyson:Or where's the comparison? You look at the language that's in those and I've reviewed a lot, I've written a few and it's always the standard stuff. We use best practices, we have an outside firm that tests these things, but there's very little relationship between that and the day-to-day realities of security in an organization. I mean, that's a nice general high-level feel-good statements and I think that that's the kind of stuff where there's a risk of reality and the regulatory to bash into each other at some point.
Joe Sullivan:Yeah, there's one other layer to this that I've been thinking about, which is I'm lucky in some respects right now that I have a different perspective, which is I'm not working from inside one company, I'm doing consulting and advising to a number of different companies, and so I've been watching as there are debates about new, different policies. The federal government will release a statement saying we're thinking about banning ransomware, or we're thinking about this and or we want to pass regulation requiring that makers of software have liability for that. And I was thinking whose voice is heard when the government says that and gives them feedback on it? The companies that we work for often have a very strong opinion on the regulation, and the strong opinion is usually we don't want more regulation. And so that goes back to the thing I was talking about, where we could live in a world of regulation by enforcement or regulation by rulemaking. If you're the person who's supposed to drive the car, between the lines, the security leader which world do you want to live in? You want to live in a world of rulemaking, so you might feel very differently than your company about what rules the government should be putting out, but as security leaders, we don't have a strong voice. The only voice is our company, and we might have like if we're some of a subset of CSOs who actually get invited to internal meetings about policy things we might have voiced an opinion. We might have said, yes, we would like a nationwide data breach law that brings consistency and simplicity to it when our companies are in Washington DC throwing sand and the engine of that type of change. And so I think, as security leaders, we need to find a bigger voice. We should be thinking about how to get a voice outside of our organizations that we work for today.
Dave Tyson:Joe. Turning now to sort of we talked a little bit before about the relationship between government and private industry, whether they be publicly traded or not. What are your thoughts on how that relationship can evolve or grow to be more effective?
Joe Sullivan:I think it's on all of us to make that relationship better, and I think there are a lot of concrete things we could do. It's funny sometimes when I read articles about certain industries. They'll describe how people move between the private and the public sector back and forth and a lot of times the articles are negative about that because of the idea that, oh, you go into government, you regulate an industry and then you go out and make lots of money and then you go back in and you protect the companies you worked for is kind of the way it gets spun. But there's a flip side to that, which is when you're in government after you've been in an industry, you understand it at a different level and you appreciate the good things and you know where the skeletons are too. And so if you're really committed public servant, at that point you have the tools to do the job better than if you've never been in an industry.
Joe Sullivan:I look at the legal profession. When I got out of law school, I went and did a clerkship in the government. Most of the people who did clerkships with me went into the private sector and they worked at a law firm for a few years. Then they wanted to become trial lawyers. So they went back to the government and did trials. Then they wanted to become partners at law firms and they went back and then maybe, if they were lucky, they became a judge. But what you had there was the public and a private sector that understood each other, did it together, spoke each other's language, and we don't quite have that in security for a bunch of different reasons. People inside government I know because I was there you get attached to the idea of your equivalent of a pension and retirement at a certain age, and so there's the pros of the compensation on the government side, but you go on the private sector side and there's financial pros too that are hard to leave behind to go into the government for a short period of time, and so there's not the incentive.
Joe Sullivan:I've talked to people that I've probably personally helped more than 50 people find jobs in tech companies coming from the federal government and kind of mentored them through that process, and they felt that when they were making that transition out of government that they were not shunned but looked down on and the idea of them being invited back into government they felt like it wasn't going to happen for them.
Joe Sullivan:So that's kind of like one dynamic that undermines that back and forth. A second thing that undermines it is the government and the private sector don't use the same frameworks for managing risk, don't use the same technology for running their organizations, and so if you're in a security leader is supposed to be technical in terms of understanding their environment, and if you've never operated in an environment like the private sector and you've only operated in a technical environment in the government, there's another reason you don't speak the same language. And so we have this Tower of Babel situation, where you've got these lots of different types of private sector organizations and lots of different government organizations trying to figure out and are collectively responsible for the safety of the citizens.
Dave Tyson:So is there anything specific you can think of that we could do to evolve that from how the government is able to how we can partner together better? I wonder, because today we have regulatory frameworks, we have some best practices, we have a few of those things, but the bugbear in the room has always been information sharing. That's been a tough one. There's been a lot of debate. I think that the government continues to try to do the right thing there because they have a test that have to balance. Obviously, you have to control sources and methods, but is there anything else that we can do to evolve that public-private partnership?
Joe Sullivan:There's a lot and I will say that there's been a lot of progress, I think, in the last decade and fits and starts. Last year I was the CSO at Cloudflare and, even though my case was pending and going to go to trial, I was still in meetings, working hand-in-hand with senior people from Department of Homeland Security as we dealt with Log4j, as we dealt with the full-scale invasion of Ukraine in February 2022. And there were intentional collaborative efforts by the US government to try and engage with the technology platform companies that could help and had visibility into what was going on, and those are very productive collaborative efforts Interesting right now. I know that I really enjoyed those collaborations. But now there's talk of and I guess it's got subpoena authority in some context, but now some security leaders are saying wait a minute, I'm supposed to go in, open the kimono and talk to these people who are going to be regulating or investigating me. It creates a bit of a funky dynamic there when you're thinking about partnership, Right.
Dave Tyson:When you think about the I'll call it the diversity in regulations that exist out there. One person's opinion I've seen five or six government entities over the last couple of years take a broader stance in regulating the cybersecurity space. We've seen this with privacy. Obviously this has been a big deal. But the FCC, the SEC, there's a number, even the Department of Energy, tsa all trying to do the right thing. Do you think there might be a better model or some way to be able to articulate what organizations should do without having to create another new framework or another new regulatory body or another new set of rules that would encourage businesses to want to do the right thing?
Joe Sullivan:Yeah, it's funny. I think there's a saying we use a lot in security, which is complexity is the enemy of good security. Our good security starts with simplicity. I would submit that the same would be the case for regulation the easier the rules are to follow, the more likely they're going to be followed. I do see that different regulators bring different issues, because each regulator comes to the situation with a different mission. They have a different drive based on who they are and who they represent and who they're supposed to protect.
Joe Sullivan:A good example of that is looking at the world of privacy at a very simple high level, comparing how the European regulators approach privacy versus US regulators. You probably say well, who is the US regulator on privacy, which state? And so there's a lot of different stuff and California has stepped up and done a lot recently. Other states are doing things and the federal government would probably say there are some privacy laws in different contexts. But from the side of someone who sat inside companies that were regulated on privacy, it was good to have different regulators who had different perspectives. I just wish they talked to each other and put it in a single framework and spoke in a single language to us.
Dave Tyson:Well, I think what it does is it forces companies to from my personal experience whatever is the most strict. That's what we're going to apply to everybody, for the simplicity concept. If we have to meet something that is onerous, at least it will be the same for everywhere we can.
Joe Sullivan:The challenge is that's not always the most cost effective to do it that way, and the regulator who came up with the most strict might not be the regulator who understands the industry best and is trying to balance supporting businesses growing in their local economy with risk management.
Dave Tyson:Looking back at this conversation, I wonder do you think that the role of the CISO, as it relates to management or the board, has changed fundamentally?
Joe Sullivan:I do. I think it has grown into a much more important role. Its growth is tied to the growth of technology in our society. Twenty-five years ago, you didn't need to have an expert on the board and in the C-suite who could explain the downside risks to your customers in the world and the expectations that they have on the organization. Now every organization needs to have both.
Dave Tyson:I was present at your sentencing and heard what the judge said about where is the CEO. I wonder if that message is going to be heard loud and clear in terms of not only awareness but change. Do you think that this is the beginning of that journey for CEOs and for executive leaders?
Joe Sullivan:I do. I think that the SEC guidelines are a really good next step. I was talking to some CISOs recently and I said, and this topic came up and they said, oh, they're planning on going to their board and explaining this new stuff from the SEC. I said why are you explaining it? Why don't you ask your general counsel to explain it? They're the experts on the law and regulation. By the way, it would be better for you personally if it's someone else explaining it rather than you. Sometimes it feels a little unfair to the security leader that they're not just the person who's supposed to go do the substantive job, they're the one who's supposed to explain that the job needs to exist. Explaining that the job needs to exist feels like you're being a squeaky wheel. We should be the squeaky wheel about the substantive security risk. Okay, we need to dedicate some resources over here, but you having the resources to go find the problem shouldn't have been something you had to fight for, but it too often still is.
Dave Tyson:So now, joe, thinking about the case which you've been through all of the thinking you've probably done on this over the last while, how do you think about this differently? How do you think about what those key messages are to both CSOs, to management and even to the board?
Joe Sullivan:Well, I think let's take each group individually. I think for board members a really important question that they need to ask themselves is am I getting the full picture? Am I getting unvarnished truth? Do I think that the company has the resources to actually get to the truth and team that's funded to get to the truth? And then, do I trust the truth that they're giving me?
Joe Sullivan:I'm sure board members think in all contexts I'm getting a very polished presentation that has been tailored to make me feel everything is perfect except for very specific things. So I assume board members are trained in how to dig. They've got to learn how to dig in this new area and I don't think it's easy. I do a lot of going inside companies and looking at their security posture and I've been doing security for a long time and I've run large teams inside large organizations doing security, I think, very well. But I couldn't figure out in four hours whether a company is doing security well. I don't think I could figure out in 10 hours whether a company is doing security well, and so that means the board member needs to have some of that independent ability to figure out is the company doing security well? But also the company has processes to kind of surface and deal with risk in a way that they feel confident that things are getting surfaced to them.
Dave Tyson:Do you think that boards need to have their own independent advisors on this topic?
Joe Sullivan:Most of us. When we're running our own security team, we don't just listen to our own team, we bring in outside auditors. A lot of us are required to bring in outside auditors by our customers. So I'm sure when you, every organization that you've run, you've had a vendor security program where you scrutinized your third parties and you made them get third party auditors come in. It's a sad truth, but security is complicated and having multiple eyes look at things usually leads to better outcomes.
Dave Tyson:So what about the other audiences here? You've got the management team, the CEO, a senior exec team and you've got the CISOs.
Joe Sullivan:Well, hopefully, the rest of the management team is starting to realize two important things. Number one security presents a real risk to the business, and so everyone on that leadership team is invested and has one goal the success of the business. And so security is one of the things that if the brakes stop working on the vehicle, you're not going to start the vehicle because it can't stop. So they need to be supportive of investment and security. And that's a challenge because every leadership team gets a certain amount of money and they want to spend, and it's always a debate between what do we spend on growth of the business and development of customers and development of products versus management of risk. But if you're looking at it holistically, with the right approach, then you're going to allocate your budget to both sides appropriately. So that's part one. And then part two for them is they're personally on the hook now in ways they weren't before.
Dave Tyson:Yeah, yeah, all right, let's close out with the CISOs.
Joe Sullivan:Yeah, and for CISOs. I want every CISO to step up and become a company leader. I am sorry, but they have to carry that weight of advocating for and insisting on the right resourcing and they have to do the substantive job. They need to be part of the exec team. They need to be part of the team that makes the decisions every day about how the business has run. They need to keep pushing to be in that room. I think some CISOs are pushing to be on boards too, and that will be great because then they will really see holistically how multiple companies run. And that's really uncomfortable for most CISOs who come from the technical ranks who, when they got into those technical ranks, thought of this as a profession that had a certain ceiling. And now we're telling them that wasn't the ceiling, that's the floor and they got to step up and no one's holding out a hand to pull them up. They just have to jump up there, yeah.
Dave Tyson:You said earlier that you're out doing consulting for different firms. I'm sure your advice is immensely valuable from your experiences. So what's next for you?
Joe Sullivan:So I do a half-time non-profit work. I'm the CEO of a non-profit that provides humanitarian aid to people in Ukraine. We've done a lot of different things as the kind of war has evolved. Right now, a big focus for us is helping kids who are in remote school in Ukraine. So in a country of 40 million people, half the kids have remote education still. So they had remote education during the pandemic and then when our kids got to go back to school, theirs didn't because the war had started, and so these kids have been in remote learning for years, and it's just a tragedy.
Joe Sullivan:So I've been partnering with a bunch of different companies to take their used laptops over so that the kids can use them, because of all those kids who are in remote learning, half of them don't even have a laptop.
Joe Sullivan:They don't even have a computer. They're borrowing something off in their parents' phone to do remote learning, and so one of the cool things is that I've been able to get a lot of companies to look and figure out what do we do with our used laptops and then plug my non-profit in and we'll ship them over, make sure they're cleaned and wiped and safe and all that stuff first, of course, every single company that's donated a laptop has been a company that I was connected to by a security leader of that company. So we talked a little bit about the network of security leaders in the world. It's a very caring group. Security leaders seek each other out partially for commiseration and moral support, but partially for learning. I mean, the reality is, when you get in that security leader role, everyone above you thinks you know the answer and everybody below you thinks you know the answer.
Joe Sullivan:You know the answer, and so you're afraid to show that weakness to anybody. It's hard to say I don't know the answer to your team, and it's hard to say I don't know the answer to your CEO. And so who do you turn? To your peers?
Dave Tyson:It's so funny. I got to tell you the story. So I joined eBay in October of 2007. I had been in the industry a long time, you know, in Canada mostly, but I just moved to the US and one day my boss, dave Collinane, who I'm sure you knew quite well, comes along and I'm throwing all of my security books into the trash. I had quite a library I was proud of. And he said what are you doing? I said well, I'm throwing all these books out. And he said well, why? I said because everything I'm expected to do here hasn't happened yet and there's nothing in these books from the past that prepares me for that any better. And that's how I sum up the experience of being a CISO. So often it's the next new thing, the next new technology, the next evolving problem, and you have to be good at dealing with the uncertainty Right. I say you know, being a CISO is like you know, getting 10% of the information you need and making career ending decisions all day long.
Joe Sullivan:It's not easy.
Dave Tyson:So back to your organization. If folks who see this want to be involved, can they donate laptops? Is there a place they can do that?
Joe Sullivan:Absolutely. Our website's ukrainfriendsorg. You can send an email to info at ukrainfriendsorg and it'll go to me, and we only have two employees in the United States one who's paid and myself volunteering, and the rest are all over in. Poland and Ukraine. We have warehouses over there and we ship things over. We also ship over medical equipment, blankets during the winter, you name it.
Dave Tyson:Excellent. Well, we'll make sure that message gets out there. Thank you for your time today, Joe. It's been really great. Thank you Appreciate it, thanks for having me.
Mark Havenner:This has been Executive Cybersecurity with Dave Tyson, a production of Apollo Information Systems. Visit us at Apollo-IScom or, if in Canada, apollo-isca. Thank you for listening.