In recent years, the role of Chief Security Officers (CSOs) and Chief Information Security Officers (CISOs) has become increasingly challenging due to the evolving threats to critical infrastructure. However, the stakes for these professionals have been raised even higher as they now face the possibility of being personally charged with crimes related to company breaches.
One such high-profile case involved Tim Brown, the former CISO at SolarWinds, who was charged by the U.S. Securities and Exchange Commission (SEC) for misleading investors and failing to disclose risks. Similarly, Joe Sullivan, the former CSO at Uber, was charged by the Federal Trade Commission (FTC) for obstruction of justice and concealing illegal activity.
While Brown’s case is still being litigated, Sullivan was convicted by a federal jury in 2022, put on a three-year probation, and fined $50,000. Despite his conviction, Sullivan is currently seeking a new trial, with a 9th Circuit U.S. Court of Appeals panel agreeing to review his case.
Sullivan, a former federal prosecutor who also held security positions at PayPal, Facebook, and Cloudflare, joined Uber in 2015 amidst an investigation by the FTC into a previous data breach. In 2016, Uber experienced another incident where sensitive data was improperly accessed, leading to a controversial decision by Uber’s leadership not to disclose it as part of a bug bounty program.
Since leaving Uber, Sullivan has become an advisor and has been sharing his experiences, participating in industry events and discussions. He has emphasized the importance of CEO accountability and the need for clearer guidelines on the responsibilities of CISOs, citing the Sarbanes-Oxley Act as a successful regulatory framework.
In a recent interview, Sullivan discussed his past experiences at PayPal and Facebook, where he implemented responsible disclosure policies and bug bounty programs, highlighting the economic benefits of such initiatives. He emphasized the importance of collaboration and transparency within the cybersecurity community.
Regarding his termination from Uber in 2017, Sullivan expressed frustration with the differing perspectives on the incident, with some viewing it as a bug bounty program while others saw it as a threat actor activity. He underscored the importance of accurate communication about a company’s security posture and questioned the extent of a security leader’s responsibility in managing external communications.
Sullivan also addressed the issue of CEO accountability in cybersecurity incidents, noting a trend towards holding top executives responsible for security failures. He highlighted recent initiatives and proposed legislation aimed at increasing CEO accountability in cybersecurity matters, drawing parallels to the Sarbanes-Oxley Act.
In offering advice to young CISOs entering the job market, Sullivan emphasized the need for alignment with organizational objectives and the importance of building relationships with other company leaders. He stressed the role of the security leader as a team player, working alongside peers in different departments to achieve common security goals.
Overall, the evolving landscape of cybersecurity presents challenges and opportunities for CSOs and CISOs, with regulatory frameworks and industry trends shifting towards increased accountability and transparency at the executive level. As the cybersecurity profession continues to evolve, the role of security leaders in safeguarding critical infrastructure and protecting sensitive data remains paramount.
Croatian 
English 
Albanian 
Serbian 