Joe Sullivan: CEOs must be held accountable for security too

Chief security officers face daunting threats to critical infrastructure, but these days, the stakes for CSOs/CISOs are even higher as they could be personally charged with crimes related to company breaches.

Last year, Tim Brown, CISO at SolarWinds, was charged by the U.S. Securities and Exchange Commission (SEC) for misleading investors and failing to disclose risks, among others. In 2021, Joe Sullivan, former CSO at Uber, was charged by the Federal Trade Commission (FTC) for obstruction of justice and misprision, or concealment of illegal activity.

While some charges against Brown are still being litigated, Sullivan was convicted by a federal jury in 2022, placed on a three-year probation and charged a $50,000 fine. He's currently seeking a new trial, and a 9th Circuit U.S. Court of Appeals panel agreed to take his case under submission.

Joe Sullivan

Sullivan, a former federal prosecutor who also worked at PayPal, Facebook and Cloudflare, joined Uber in 2015 just as the FTC was investigating a breach from the year before. In 2016, Uber experienced a second incident where driver's license data and some personal customer data stored in an Amazon S3 bucket was "inappropriately accessed," according to a press release. At the time of the incident, Uber leadership considered it a bug bounty and didn't disclose it to the federal government. That changed when a new CEO came into the company in 2017.

Now, Sullivan has formed an advisory and is sharing his experience, appearing on a panel at RSAC in May and at Rubrik's data security event last month. He recently met with TechTarget Editorial to discuss CEO accountability and the need for clearer rules on what CISOs are accountable for, pointing to the Sarbanes-Oxley Act as a successful regulatory model on which to draw.

Editor's note: This Q&A has been edited for clarity and brevity.

I want to go back to your time as a security officer at PayPal, where you introduced a responsible disclosure policy, and then at Facebook, where you helped launch an early bug bounty program. How did being a federal prosecutor affect those choices and what were you hoping to achieve?

Joe Sullivan: One of the things that's frustrating when you work in cybercrime is you feel like you can go on the dark web forums ... and you'll see the bad guys are all working together. They share best practices, they brag about what they did, they talk about their failures. But the good guys don't share best practices with each other. We don't work as a collective defense.

Bug bounty programs, to me, are the most economically rational thing that a company could do, because you pay for results. ... If you find a vulnerability, I pay you; if you don't find a vulnerability, I don't pay you. The outside bug bounty community is an extra [layer] of focus. The bad guys are going to try and poke holes in your website anyway, so you might as well invite the good guys to try and poke holes, too, because the more people who are looking, the more things are being surfaced, and the better you're going to do.

In 2017, you were fired for a security incident that then-Uber leadership described as a bug bounty, but when it came to light, the FTC saw differently. Some of this feels like semantics, so how do you define a threat actor versus a bug bounty participant?

Sullivan: Sometimes, when you hear the different parties talking about cases like this, it feels like they're speaking different languages. ... The United States government is a fan of bug bounty programs. HackerOne has done bug bounty programs just like they did with Uber, and they've done them with the U.S. military. They've done a Hack the Pentagon. And there's lots of understanding that bug bounty programs are a good thing.

The Uber case is a very complicated, atypical case. ... When you step back and say, why is the security community freaked out about that obstruction of justice charge [against me] -- it's because it's very akin to what the SEC is saying in the SolarWinds case with Tim Brown. What they're saying is the company made representations about its [security posture], and the security team knew certain things about their security practices. And we don't think the representations by the company are 100% aligned with what the security team is feeling internally.

The fundamental question is, whose job is it [to communicate] accurately about the security posture of the organization? In my case, the government is basically saying it was my duty to make sure [the company] says the right thing. And I could be held guilty even if I didn't say anything at all to the FTC.

On the one hand, I fundamentally agree that companies should have an obligation to be transparent to the government if the government asks them questions. I think we all expect that. But on the other hand, I don't think [we need to] have a precedent that security leaders are responsible for managing their company's external communications, because anybody who's worked inside a corporation knows there are significant lanes that you have to stay in. You have to partner with other teams, you need to make sure they're in the loop, but you also have to trust that the other teams are going to do their job. ... It's a complicated situation that companies should be held accountable for being accurate in their statements, but I don't think the security team is the only team that should be on an island in those situations.

The then-CEO of Uber, Travis Kalanick, was not held responsible for this security incident -- you were. What do you think it will take for CEOs to be held responsible?

Sullivan: I think it's heading in that direction. You can see it. I always try and bring up that point about the fact that the judge in my case [noted that the CEO was not charged]. The judge didn't say that for my benefit. He said that for the benefit of every other case that's going to come in the future. He made the prosecutor squirm because he wanted every prosecutor to hear that the judge wants to see the CEO next.

The CEO defines the culture around risk tolerance. That's just how it works in corporate America. If you want to build a brand on safety, you prioritize some things. If you want to grow market share as fast as you can, you prioritize other things. That culture is not set by the security team. Budget -- every CISO is going to ask for as much as they can get, and they never get 100% of what they ask for -- that's not decided by the CISO. The same for specific risk decisions. ... The daily risk decision-making at the company is tied with the culture the CEO sets, and the hard decisions roll up to the CEO.

That's the reality in corporate America: When the CEO starts being held accountable, that's when change happens. There are recent examples that are showing that trend [in cybersecurity]. CISA, the DHS [Department of Homeland Security] cybersecurity agency, has a new initiative called Secure by Design, and they've been asking companies to sign on to it. Who do they ask to sign? The CEO. Sen. [Ron] Wyden [D-Ore.] published a proposed bill [on Sept. 26]. He was the senator who grilled the CEO of Change Healthcare on Capitol Hill. They didn't call the CISO to testify, they called the CEO, so we all got to watch the CEO of a company have to explain why they didn't have multifactor authentication rolled out effectively and thus were vulnerable.

[Wyden's] proposed legislation says they basically want to create the equivalent of Sarbanes-Oxley for cybersecurity for the healthcare industry. They specifically say, 'We want the CISO to sign, but we also want the CEO to sign.'

Sarbanes-Oxley for cybersecurity would set standards. When you talk about standard-setting, though, are you talking about the enforcer, the enforcement or both?

Sullivan: Why did Sarbanes-Oxley come into existence? Because of Enron and WorldCom. If we think back to the late '90s, there were just a bunch of really upsetting situations where companies were cooking the books financially, and different regulators jumped in.

The way the executive branch works is that any regulator can jump in and try and establish authority, but none of them got blessed by Congress, and it's chaos. It was kind of like the chaos we have right now in cybersecurity. Congress hasn't passed meaningful cybersecurity legislation since 1996 -- almost 30 years -- so there's no clear guidance.

Regulation comes in one of two ways. It comes from legislatures writing laws like Sarbanes-Oxley. Or if there is no legislation, then regulators from the executive branch often start to do what they call regulation by enforcement. In my case, the government can point and say, 'Look, you have to be transparent or else.' There's no law that says, 'Be transparent,' but there's a case that says, 'Be transparent.' ... That's why cybersecurity professionals are so stressed out right now. ... They're worried that if their company has an incident, they're going to be next.

It's really important that we have good people doing this job. If the best people run away from it, then we all suffer.

What do you say to CISOs to help them navigate this terrain, since it's not black and white?

Sullivan: I don't want cases like mine and Tim Brown's to scare people out of the profession. They're extreme edge cases. I tell people it's really important that we have good people doing this job. If the best people run away from it, then we all suffer.

I tell them, No. 1, [don't] run away in fear -- think through the issues that have come up in our cases. The biggest commonality between Tim's case and mine is that both are fundamentally about company communication. Why is that? It's because those are the tools that the government has. Congress hasn't taken the time to give a specific agency specific tools in the way that we'd all like.

What we want, I think, in the profession, is we want to see Sarbanes-Oxley for security. We want to know who my regulator is, what standard are they going to hold me to and what cadence of communication am I supposed to have with them. And how do I get a regulator who actually understands how hard my job is to fight against Russia and China and every other hacker on the planet?

What advice do you have for young CISOs in the job market on how to find the right fit?

Sullivan: You have to make sure that the organization is prepared to partner with you on your mission. The fact that the company is trying to hire someone shows a level of commitment, but I think the security person should be trying to interview more than just the team they're going to get.

[Security leaders need to] think of themselves as a leader of the company, and you wouldn't join a company as a leader unless you've met with the other leaders. The people who are building the product, the people who are building the technology, the people who are making the legal decisions, managing the finances -- those are all peers for the security leader. You have to think of this whole group as a team. You want to get to know those people and understand that every one of them is going to have a competing priority every day -- the head of business, the head of sales, the head of marketing. If there's $10 left in the company, they all want to spend it on their project, not your project. But they have to see some value in your project too.

Nicole Laskowski is a senior news director for TechTarget Editorial. She drives coverage for news and trends around enterprise applications, application development and storage.