Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Ep 88: From Prosecutor to Security Leader – Joe Sullivan (ex-CSO: Uber, Facebook, Cloudflare) image

Ep 88: From Prosecutor to Security Leader – Joe Sullivan (ex-CSO: Uber, Facebook, Cloudflare)

S6 E88 · The Abstract
Avatar
78 Plays16 days ago

How do you make the transition from federal prosecutor to security leader? Help secure some of the world's largest technology companies? And build yourself back up after being convicted by a federal jury for your company's handling of a data breach?

Join Joe Sullivan, CEO of Joe Sullivan Security and the non-profit Ukraine Friends, as he reflects on the trial and sentencing he endured for a data breach at Uber to interpret the manifold challenges the chief security officers face each day.

Listen as Joe shares his journey from the first full-time cyber federal prosecutor in the country to legal and security leader at eBay, Paypal, Facebook, Uber, and Cloudflare, why lawyers need to work closely with security teams, the relationship between security and privacy, and much more.

Read detailed summary:  https://www.spotdraft.com/podcast/episode-88

Topics
Introduction: 0:00
Becoming the CEO of Ukraine Friends: 2:43
Getting a start in cyber: 13:55
Transitioning from tech-savvy prosecutor to trust and safety at eBay and Paypal: 17:18
Taking on security at Facebook: 22:20
The challenges that face chief security officers: 24:03
How legal teams and security can work better together: 26:23
The difference between a chief security officer and a CISO: 30:03
Navigating the fallout of the data breach at Uber: 32:02
Working at Cloudflare during the Uber trial: 37:21
Building a private security practice: 38:28
Joe’s biggest learnings from the trial: 44:01
Rapid-fire questions: 46:08

Connect with us:
Joe Sullivan - https://www.linkedin.com/in/joesu11ivan/
Tyler Finn - https://www.linkedin.com/in/tylerhfinn
SpotDraft - https://www.linkedin.com/company/spotdraft

SpotDraft is a leading contract lifecycle management platform that solves your end-to-end contract management issues.

Visit https://www.spotdraft.com to learn more.

Recommended
Transcript

Discovering Indictment and Arrest Miscommunication

00:00:00
Speaker
I knew for at least a year before the indictment. Well, first, it was a criminal complaint I was charged with, and then they did an indictment later. So I i learned about the criminal complaint the same way I learned that I was getting fired from Uber in the news.
00:00:12
Speaker
ah Press release? Yeah, the U.S. s Attorney's Office and the FBI did press conferences. They didn't tell me they were going to charge me on that day. i was sitting at my desk. working for Cloudflare, working from home because it was August of 2020. Yeah.
00:00:28
Speaker
yeah So six months into the pandemic, I was sitting at my desk working and my daughter who was moving into college that week, she was with her mom. um My daughter's calls because her friend heard on NPR that I'd been arrested.
00:00:43
Speaker
And so she so she started getting people reaching out to like, are you OK? Because the FBI put out a press release that was a lie. They said that they had arrested me when they actually hadn't. I've never been arrested.
00:00:56
Speaker
I don't know why they did that. After I asked them to retract retract it a few weeks later, and they did. ah But they put out that fake press release that everybody, so everybody thought I was in jail. yeah And I had to call everybody and say, no, I'm not. I'm okay. That's quite a typo.

Career Highlights in Tech and Legal Roles

00:01:18
Speaker
How do you make the transition from federal prosecutor to security leader? Help secure some of the world's largest technology companies. and build yourself back up after being convicted by a federal jury for your company's handling of a data breach.
00:01:36
Speaker
Today, we are joined on the abstract by joe Sullivan, CEO at sir Joe Sullivan Security and at Ukraine Friends, a nonprofit focused on providing humanitarian assistance to the Ukrainian people. I think that's a really cool mission and I'm excited to talk about that in addition to security.
00:01:54
Speaker
Before launching his own consultancy and the nonprofit, Joe was the chief security officer at Cloudflare, Uber, and Facebook. He spent time in legal roles as well earlier in his career, working on regulatory privacy, trust, and safety issues at companies including Facebook, PayPal, and eBay.
00:02:15
Speaker
Joe started his career as an AUSA in the computer hacking and IP unit of the Northern District of California. And he spent time as a board member at the National Action Alliance for Suicide Prevention, something that I think we can all agree is a very important mission in our country today.

Humanitarian Efforts in Ukraine

00:02:35
Speaker
ah Joe, thank you so much for joining me for this episode of The Abstract, recording here in San Francisco. Thanks for having me on. I'm looking forward to this. Okay, we're going to talk a little bit about your career today, but I think it's too interesting and timely not to bring up Ukraine, given your work there.
00:02:52
Speaker
You recently returned from a trip to Ukraine. yeah What's the situation and the mood like over there? Yeah, so this was my fifth trip to Ukraine in the last two years, and i got back about a week and a half ago.
00:03:06
Speaker
And i would say that the people there are... in a good place. as As good a place as you can be, being a small country in a war with Russia, yeah which is a really hard place to be.
00:03:21
Speaker
Every time I go to Ukraine and then I come back, people say, oh, you're so noble for going. And on the inside, I actually feel like selfish because I believe I get more out of those trips than I give because the people inspire me so much.
00:03:38
Speaker
Like what I've seen over the course of of all these trips and and traveling around the country and spending time with people who are suffering is that they've come together as a country, as communities in ways that I think we've forgotten about here.
00:03:52
Speaker
There's nobody I meet there who isn't doing something to help other people. i can I can have a you know a big bag of medical equipment and I'll say to somebody, I need to get this to this town that's near the front lines because there's a surgeon who needs them.
00:04:07
Speaker
sure And within 20 minutes, I'll have three different people who'll know somebody who's driving in that direction. then... this and then within six hours, I'll have a picture of the surgeon with the package. And over and over, and I've experienced things like that there.
00:04:24
Speaker
and And so I just like that reminder of people helping each other and and also just their general resilience in the face of what seems like overwhelming odds.
00:04:37
Speaker
They're lot of us caught up in the roller coaster of following the news because if they did, they would have, you know, over the course of my times there, they've been winning, they've been losing, they've been having full support from the United States, they've been having no support from the United States. There's a new president coming who might not support them. there a new president who- Exhausting. it's It could be exhausting for them.
00:04:57
Speaker
And they do pay attention to the US news. It's covered every day because we as a country really help them. up One of the other things that I appreciate when I go there is that people stop me and say thank you.
00:05:10
Speaker
They say you're from America, right? Thank you. And thank everybody else because they know about the support that's come. They've personally experienced it, many of them. And so they're very grateful to our country.
00:05:22
Speaker
What was it that motivated you to take on this challenge? And tell us a little bit about the the work that you're you're doing there as well. Sure. So I started doing this at probably like the lowest time in my life.
00:05:36
Speaker
The way i started, so in 2017, I was fired from Uber and in 2020, I was indicted. who In between, I started working in a company called Cloudflare, which is a term which is which was a small private company and it's since become ah ah strong public company.
00:05:52
Speaker
And I went into Cloudflare and and built their security organization. from 2018 to the end of 2022. And so I was there for four and a half years and I was there at the beginning of the full-scale invasion.
00:06:05
Speaker
Right before the full-scale invasion, the United States government reached out to us, Cloudflare, and asked if we could help the Ukrainians. if If you remember in February of 2022, President Biden was saying, Russia's going to invade Ukraine. And everyone was like, no, that's not happening.
00:06:20
Speaker
But US Cyber cramp Command in anticipation asked us to deploy in Ukraine. So I was remotely from here in Northern California supporting Cloudflare deploying our product inside Ukraine.
00:06:34
Speaker
amazing And then ah in the fall of 2022, summer fall of 2022, I went to trial, lost the trial. And that was when I hit the low point was because ah ah Even me being indicted working at Cloudflare was hard for Cloudflare in terms of they lost customers because they chose to stand by me And there were corporations that decided it was too much of a compliance risk to do business with Cloudflare when they had a CSO who's facing a criminal case.
00:07:04
Speaker
So I had reached agreement with the the founders who had been very supportive that i I said, I will leave if I lose the trial because that would just not be good for the company. yeah And so I left after, so I lost the trial at the beginning of October of 2022 and decided I need to do something.
00:07:24
Speaker
to keep my yeah After about a month of just moping and going down into that you know that dark place and having to start thinking about facing a sentencing hearing and and potentially going to prison and all that would come from that.
00:07:39
Speaker
And, know, people don't appreciate this, but when you get convicted of a felony, all your bank accounts got shut down. Your homeowner's insurance cancels you. Your car insurance cancels you.
00:07:51
Speaker
And I was so I was dealing with all those things, ah but I wasn't working anymore. And So I reached out to a bunch of different nonprofits that I'd helped over the years when i was when they were happy to be associated with me.
00:08:05
Speaker
And essentially, they all said, we can't afford to be connected with you, which was which was very frustrating and hard to hear because I'd given time and energy to these organizations.
00:08:17
Speaker
And then i i I didn't give up then. I was talking to a friend of mine, he was the recruiter. He was the recruiter who placed me at Uber, so he owes me one for that.
00:08:27
Speaker
But he'd also placed me at Cloudflare and and some other things like I was an advisor for Whoop, the fitness band company through him. and and and And we still work together on projects. And so I reached out and I said, I would like to do something volunteering related to Ukraine. That was the most inspiring thing I did during my last year at Cloudflare.
00:08:47
Speaker
And he got his recruiters to work. And then he called me back a few weeks later and said, ah there's this organization, it's called Ukraine Friends. they they ah Their CEO is transitioning and they need a new CEO. And I said, wait a minute, Jared, I want to volunteer a few hours a week doing cyber.
00:09:08
Speaker
helping Ukraine not become the CEO of a non-profit. He's like, talk to the talk to the board members, talk to the founders. And I did. And then I talked it over with my wife. And I was like, this is not cyber. I can't do this from Northern California.
00:09:26
Speaker
I'm to end up having to go to a war zone. Are we OK with that? ah We talked it all through and decided to do it. In the beginning, so I jumped in. My first trip was in early 2023, about two years ago.
00:09:40
Speaker
And ah before that, i the the nonprofit was very focused on medical equipment. ambulances and things like that. So I actually flew to Virginia to an ambulance reconditioning facility and array and and worked on shipping over 22 ambulances.
00:10:00
Speaker
Unfortunately, in Ukraine, during when the ambulances go near the front lines, they get targeted. And so ambulances are few and far between there. So we were shipping over ambulances and other medical gear.
00:10:12
Speaker
Fortunately, within a short period of time, donors from around the world, more governments started providing good quality medical equipment. And so the need for that went down. But on my first trip, a friend of mine gave me 20 laptop computers and I brought them over and I ended up giving out 10 at a Catholic orphanage and 10 at a Jewish community center.
00:10:37
Speaker
And seeing that what I found was that the the people who were getting the least support and attention were the kids. the and and And think about it like this.
00:10:48
Speaker
We had a pandemic and all of our kids had to do remote schooling for a year or more. Well, so did the kids in Ukraine. And then just as they were coming out of the pandemic in 2022
00:11:00
Speaker
they they ended up in a war. Half the people in the country moved to the west from the east because of the danger. And a lot of schools were getting hit. And as a result, a lot of children were forced into remote schooling and they were doing them on their parents' phones because they didn't have computers. Because you couldn't go online and order a computer shipped to you in Ukraine. You still can't.
00:11:23
Speaker
And so that inspired me to start talking to more of my friends who run security and IT t at large corporations. And as a result, I've been able to get a steady supply of laptop computers shipped over and into Ukraine.
00:11:39
Speaker
and we distribute them. We we set up our ah basically a web form where anyone in the country could submit a request to us. ah We wanted to narrow it down so we only take requests for children who can't afford a computer and they've lost a parent in the war.
00:11:55
Speaker
And so every kid that we, generally speaking, every kid that we give a laptop computer to is someone whose dad has died in the war. So when I was over there two weeks ago, I i met with i went to a school, ah we gave a bunch of computers to some teachers who were leading the remote learning.
00:12:11
Speaker
They were using these old desktop computers that They had to go to with this like warehouse to teach from and and some of the students from that school. and Then I met with a group of widows, who young women in their 20s and early 30s who've all lost their husband, who are trying to get into job training programs but didn't have computers.
00:12:29
Speaker
and They had tested well, but if they had a computer, they could go learn it and so gave them a bunch of computers. And so that's that's basically what I do. And the cool part about it all is that every single computer that I've gotten and shipped over has been donated through somebody that I know through so working in cybersecurity.
00:12:48
Speaker
That's amazing. I was going to ask you, you know like why did you decide to do this sort of humanitarian work instead of security? I mean, it's totally obvious. It's self-evident. Well, you you know what? the The most amazing thing I learned from it all was that when I started doing it, I was in that really bad place personally.
00:13:06
Speaker
you know i was like I felt like out like my life is not in my hands anymore. It's in a judge's hands. And i'm not you know in six months, eight months from now, I'm gonna have to go through a sentencing hearing and my whole life could be completely disrupted. And i I wanted to have some sense of control in my life, number one. But number two, the thing I learned was when you feel bad about yourself, go help someone who's in a worse place.
00:13:30
Speaker
yeah And then all of a sudden your problems don't look so bad. you know There's nobody I meet on the ground there who's in a better position than me. Even when I was going over there before my sentencing hearing.
00:13:42
Speaker
yeah and And so when i'm when I was there, i'm not i wasn't worried about my sentencing hearing. I was worried about these people and caring about them and and and inspired by their resilience in the face of of what they're dealing with.

Transition from Legal to Security Roles

00:13:56
Speaker
We're gonna talk about the trial a little bit later and in the sentencing hearing and that sort of thing. But that wasn't, that isn't the entirety of your career, right? And that's not where it started. You also didn't start your career security. You were a lawyer, you were a federal prosecutor.
00:14:11
Speaker
How did cyber feature in your sort of early career and early work and where did that eventually lead? Yeah, yeah, I graduated from law school in 1993 and went straight into the US Department of Justice.
00:14:25
Speaker
I had, I did it, it's called the Honor Law Grad Clerkship. It was kind of the only way you could get into the US Department of Justice straight from law school. and i And I did that and it was a year clerkship and then and went to a law firm for a few months and then realized I didn't want to do that and quickly got back into the Department of Justice.
00:14:43
Speaker
and While I was in the Department of Justice, right after I got back, I was working here in San Francisco in 1995. I was able to convince the Department of Justice to let me have an internet connection i remember I remember we would go down the street to the Bank of America building to get on the internet because they had like a free internet terminal in the lobby or something like that.
00:15:05
Speaker
And so like we'd be doing work related research on a free internet terminal down the street. And I convinced the Department of Justice they wouldn't let me put my DOJ computer on it or and no one else in the office was allowed to use it. But like I wanted to use the Internet for researching because I was dealing a lot with political asylum cases and and complicated international things and being able to pull up newspapers from the other side of the planet would be really helpful and to have some context for the cases we were working.
00:15:36
Speaker
So that was kind of my first And then a few years later, i was in the US Attorney's Office. i went to and moved to Las Vegas for two years. I was in the US Attorney's Office there. And when I got there, they asked the Department of Justice had started a program called the Computer Telecommunication Crime Coordinator Program, where they wanted to train one federal prosecutor in every office across the country, so all 94 districts. That's pretty smart, actually.
00:16:02
Speaker
Yeah, so it was started by Robert Mueller when when he was in Maine Justice back in the mid-90s. And so i would i was, A, I think the only prosecutor who had a computer on his desk, and B, the only one under the age of 30.
00:16:17
Speaker
So they were like, you must be the high-tech guy. I was like, I am. And so I started doing high-tech cases from there. and And then shortly after, Robert Mueller became the US attorney here in Northern California.
00:16:32
Speaker
And he start he said, I want to have a full-time unit doing high-tech cases. And he asked me to be part of that team. And so I got to be the first full-time cyber federal prosecutor in the country.
00:16:45
Speaker
Wow. And was just here going around to companies in Silicon Valley saying, hey, tell me about your cyber crime problems. And they would all say, we don't have any, yeah just like today.
00:16:56
Speaker
oh But ah so that's that's kind of how I got into doing it. And the Department of Justice gave me bunch of specialized training on how to use the, you they get I got special computer and and we had annual specialized training programs and I worked a lot with the FBI, Secret Service and different agencies that had dedicated cyber crime investigators.
00:17:20
Speaker
So the transition to working in tech companies then, eBay, you did trust and safety there. I actually just had Rob Chestnut on my podcast. I think you probably worked with him there, you know, working on privacy issues. I mean, that seems like a totally natural transition from being a prosecutor who is very tech savvy and who actually has experience prosecuting cyber crimes.
00:17:42
Speaker
But then you end up taking on security roles later on. And i think, you know, chief security officer CISOs are often very talented hackers themselves, maybe. yeah How did you make that make that transition?
00:17:57
Speaker
You're right, Rob Chestnut played a very big role for me. he's one I consider him one of my most important mentors. He contacted me from eBay and said, would you consider coming here? I'm being elevated into this head of trust and safety role.
00:18:12
Speaker
and When you were at DOJ? When I was the US Attorney's Office. and And so we had this really interesting conversation. I said, I i love working for the government. I love being a prosecutor.
00:18:23
Speaker
And he said, well, When I'm inside a company, i get to help the company make decisions to that will prevent harm from happening. You as a prosecutor, you only clean up the mess, so to speak. You come in afterwards and deliver punishment to the person who did wrong.
00:18:43
Speaker
If you come into a company like eBay, you can oversee policies and engage with product managers and engineers to educate them and help them build a better, safer product.
00:18:54
Speaker
And so that that really resonated with me. And when I went to eBay, I reported to Rob. And then after, I think after ah couple of years, like you know it was kind of murky where trust and safety ended in legal started.
00:19:10
Speaker
ah Someone named Kent Walker joined. He's the general counsel of Alphabet now. And so my two I had two managers. Kent was my legal manager and Rob was my operational manager. and i'm na And I oversaw on trust and safety, I oversaw a whole team of investigators and ah fraud prevention people. And I oversaw set...
00:19:32
Speaker
like some other operational teams, like I was responsible for like the policies around what's allowed on eBay, which have some legal but legal implications, but extend a lot beyond that. and And so for a while, so I think for four years at eBay, I was wearing both hats, probably like 75% operational security and safety.
00:19:52
Speaker
And during that time, I started spending a lot of time with the InfoSec team at eBay and the InfoSec team at PayPal. see After four years of of like so like wearing a little bit of legal hat and a lot an operational hat, I was like, I got to pick one or the other.
00:20:07
Speaker
and and And I was given the opportunity to go run the legal team at the North America legal team for PayPal. So I moved so i said, goodbye, trust and safety. I'm going to go be a lawyer full time. I think I was meant to be a lawyer.
00:20:21
Speaker
And I went to PayPal. And i I got to manage the, um and that was a great experience. I got to admit it to essentially to be acting general counsel at PayPal and yeah general counsel was able to take a sabbatical and go away for a while.
00:20:34
Speaker
So I got to be part of the leadership team sitting in on the, you know, as part of the exec meetings, doing things like that. And then I started getting recruiting for recruited for general counsel roles.
00:20:46
Speaker
And I was like, I'm not sure I really want to do that. I i seem to spend a lot of my time hanging out in the other half of the building with the PayPal security team. And the eBay team never stopped calling me. So I kind of had like my official job running PayPal Legal North America and my own official job doing security.
00:21:08
Speaker
and And then in 2008, I got recruited over to Facebook when it was a small company, smaller my space. And they needed someone to do product counseling around financial services stuff and ah probably compliance and operational stuff as well.
00:21:26
Speaker
So it was kind of a hybrid role again. And I went to PayPal. Sorry. So I left PayPal and went to Facebook in 2008. When you go to a place like Facebook in 2008,
00:21:36
Speaker
it's growing so fast that you just end up doing 100 different jobs. Sure. And before I knew it, the yeah I was managing some lawyers and then they asked me to manage. i was i really enjoyed those first couple of months where I didn't manage anyone.
00:21:49
Speaker
It was really nice to get back to just doing work. But then i ended up managing, i think, a couple of lawyers. And then our general counsel asked me, would you go oversee security?
00:22:03
Speaker
And so actually, initially I managed the CSO. he He was like a very early employee who'd already passed, you know essentially vesting and stuff like that. And he was just there really to help.
00:22:15
Speaker
And so eventually he transitioned out and then I became the chief security officer at Facebook. What was the learning curve for you like as you took on that security role at Facebook?
00:22:27
Speaker
It was pretty intense. But I'd been through the process of like when when I moved into that PayPal role overseeing the legal team, all of a sudden I was responsible for attorneys and functions that I'd never overseen before or worked in. So so patent lawyers and litigators and commercial lawyers.
00:22:49
Speaker
And you realize that your job as a leader is not to become the subject matter expert of everyone on your team, yes but to figure out how to support them best.
00:23:00
Speaker
And so I didn't feel the pressure to go learn every detail of every corner of security. yeah And i was fortunate that I inherited some pretty strong people and then Facebook being the company it was back then, people wanted to work there. So I was able to build a really strong team really quickly and then I just leaned on their shoulders a lot.
00:23:23
Speaker
but The growth curve for me was more about learning to be a real executive and not spend all my time with the team. like my temptation taste like i Facebook gave me an executive coach and I never forget the the number one lesson that she taught me, which was I was spending 90% of my time with my team and 10% with the other executives and I needed to change to be 50-50. I needed to start to think of the other executives as my team as much as as I thought of my team as my team.
00:23:52
Speaker
and And so that was that was the harder transition for me than than the technical side because I'd been involved in cybersecurity and just kind of eating it up for over a decade at that point.
00:24:04
Speaker
You referenced, I mean, later on at Cloudflare, you know, being brought in by us Cyber Command.

Challenges in Security Leadership

00:24:11
Speaker
mean, talk to us just for a second about the sort of enormity of the challenge that CISOs or chief security officers face these days with all these zero-day hack opportunities. And I mean, I know a little bit about this, right? Not nearly as much as you do.
00:24:28
Speaker
It just seems like a huge problem, especially when you throw nation state actors into the mix. Yeah, it's it's it's not a fair fight.
00:24:39
Speaker
Yeah. First of all, your organization, your company doesn't really understand what you're doing most of the time or understand whether the money spent on your program is money well spent.
00:24:52
Speaker
Because yeah the absence of a problem doesn't mean that the money was well spent. You might have just been lucky. The absence of a problem leads everybody to think they should lower your budget.
00:25:04
Speaker
but And so it's just kind of like this strange dynamic. You're doing this work that no one else understands. It's also, i i actually think it's very similar to what a legal department does and a lot of think this will resonate with our listeners, yes.
00:25:19
Speaker
You're the the the chief security officer or the CISO, depending on you know whatever titles are used in in those contexts, and the and the general counsel or chief legal officer nowadays, um they but they're the two most senior people inside the company whose job is to think about risk holistically across the whole company. And you look at every other team in the company and you think of all the things that they could screw up and all the problems that they could cause.
00:25:45
Speaker
And the biggest challenge you have is not being that character from peanuts who shows up with a dark cloud over him and just dripping, you know, yeah you don't want to be the person that everybody runs away from because you're always doom and gloom.
00:25:57
Speaker
But yet, we're usually showing up to tell people, stop doing that, it's too risky, or you should have stopped doing that and you didn't, so now we're in trouble. like Those are the two messages I have to deliver too often, and those are the two messages it' the general counsel has to deliver too often.
00:26:16
Speaker
So I often am surprised when those two teams don't really align because of that shared role, so to speak. Let's talk about that. I'm actually really interested in your view on it.
00:26:28
Speaker
how can legal teams and security work better together? And I'm curious about that in two parts, right? I mean, one, sort of how can GCs and CISOs work well together? But I also, and this has been my experience too, I mean, I used to lead privacy at a couple of companies.
00:26:43
Speaker
I think this relationship, for whatever reason, also seems to be a lot harder when it's, say, someone on the GCs team who has to work with maybe not a real CISO, but...
00:26:56
Speaker
director of IT who spends 50% of their time on security. yeah how How can folks work better together? Yeah, I think that the number one thing that works is viewing them as viewing that other team as an extension of your team.
00:27:12
Speaker
And at Facebook, for example, and and at Uber and Cloudflare, I had a very good relationship with the legal team because they because I understood their language.
00:27:22
Speaker
right and i also saw that my team had a better angle on the risks that the legal team cared about than the legal team did because we were in the product design meetings we were in the engineering scoping of what was going to be built yes and so on day one they would tell the privacy lawyer oh yeah we totally understand these principles we'll totally bake them into the code And then we're you know we're actually reviewing the code and can see how it act how it really works.
00:27:56
Speaker
And during the time that I was at Facebook, the biggest technical project that I worked on, and it was massive, was effectively bringing Facebook into compliance with GDPR.
00:28:09
Speaker
Sure. And this was, GDPR didn't come along until what, 2017, 18, but but the national principle underlying laws that came out of the EU at Facebook, we were so we started being told in 2010, 2011, we were becoming a ah ah big visible company. E-privacy directed. You need to respect right to be forgotten. You need to be able to ah have a page where someone could go and and download everything about them and all of those things.
00:28:37
Speaker
And the hardest of those was re-engineering the entire back end of Facebook to be able to do like if you said delete my account, how do i make sure that that's literally wiped out of all of our databases within the the 90 days that we promised in our privacy policy.
00:28:54
Speaker
The most nerve-wracking meeting of my career was meeting with a European Data Protection Commissioner where I was the technical side with the lawyer and and and they said to us, we did we deleted an account 91 days ago and we're going to use your tools to do a query against your databases to see if there's any remnant of that account.
00:29:18
Speaker
Wow. And they told us at at the end of the day and they're like, at 8 a.m. tomorrow, be here with you know terminal access to be able to so that we can do these queries. And I was just like, I hope really hope tomorrow morning it's going to work. Yeah. and Talk about a live demo. Right.
00:29:34
Speaker
But that was a good partnership with Legal that we had been working on that project for years and we we felt like we could technically show up. And Legal felt like they could let us technically show up because of of the good communication.
00:29:47
Speaker
and And so I often think that security and privacy are two sides of the same coin. know Like your job is to document what what is and how it's being used.
00:29:58
Speaker
My job is to make sure that no one's taking it and I can't stop them from taking it I don't know where it is and who has access to it. and One of the things that I noticed is you've always been a chief security officer, not a CISO.
00:30:12
Speaker
And I'm wondering if that was intentional or not, and if there's a lesson there for other folks who may be in similar roles. there is a So chief information security officer is a very defined role.
00:30:24
Speaker
It is a overseeing, basically keep the company from getting hacked. green at At every company I've been at, I've had a broader role than that. In fact, when I was at Uber, I had a chief information security officer who reported to me. understand But i I also oversaw physical security, trust and safety. So I was responsible for rider and driver safety in the vehicle, executive protection for our leadership, is it fraud.
00:30:50
Speaker
So I had six different organizations under me, I think, at Uber. And so... Chief Information Security Officer is usually a narrower role.
00:31:02
Speaker
Historically, used to be Chief Security Officer would be assigned to the person who was overseeing physical security alone in the old days. And now it's evolved to kind of indicate a broader role.
00:31:13
Speaker
Some companies are experimenting with different titles like Chief Trust Officer. Right. I see that when it's combined with a CLO sometimes or right legal and some of these other roles coming together. Yeah.
00:31:27
Speaker
Yeah, and and and and a lot of European companies are experiment because you have the data protection officer evolving to become the CISO as well. Interesting.
00:31:38
Speaker
Like last year, I was spent a keynote at conferences in Norway, Denmark, and somewhere else in Europe last fall. and In each so in at each of those events, I spent a lot of time with the security leaders from the community and a decent percentage of them came out of the, much more than in the United States, came from the legal slash privacy side and are now overseeing technical organizations as well.
00:32:03
Speaker
That's really interesting. Okay, we're at the point in the podcast where I want to talk about the the Uber case and your experience with

Reflections on Uber Breach Legal Challenges

00:32:10
Speaker
that. And look, I mean, folks can read as much about this as they want online, but I've read some of it, not like all of it. I mean, essentially, I think this is a debate about There was a hack that happened around Uber systems, a bug bounty was paid to those hackers.
00:32:26
Speaker
Should this have been disclosed as a breach or was it disclosed in the right manner? And the FTC was investigating Uber. I don't know if there was a consent decree, I can't remember, but it was investigating Uber at the same time. So that was layered on top of this.
00:32:39
Speaker
um I'm not really interested in like discussing all the specifics of the case, but I am curious about how you navigated it as an individual. And so I guess my first question to you is, you know, you were a federal prosecutor yourself. So you have some idea about how these things tend to go and how this works.
00:32:56
Speaker
Did you have a sort of thought or an idea that that this was coming? I never believed it was going to come because i I'm still fighting the case. It's still, it's pending on appeal and I still believe I'm going to win and and it's taken some turns that I think are going to help it get there from a legal perspective.
00:33:14
Speaker
But yeah, I was talking about it with my attorney yeah because you know I was terminated, like I said, i I was let go in the fall of 2017, Thanksgiving week and and a very sudden kind of,
00:33:26
Speaker
rude way and then i went to work at Cloudflare 6. i I probably felt worse after i lost I was terminated from Uber than I felt when I got indicted just because i just what it blindsided me so much and that the that the company was taking the the view that it was on it.
00:33:49
Speaker
and so I knew for at least a year before the indictment, well, first it was a criminal complaint I was charged with, and then they did an indictment later. So I i learned about the criminal complaint the same way I learned that I was getting fired from Uber in the news.
00:34:04
Speaker
ah Press release? Yeah, the US Attorney's Office and the FBI did press conferences. They didn't tell me they were going to charge me on that day. I was sitting at my desk working for Cloudflare, working from home because it was August of 2020, yeah. So six months into the pandemic, i was sitting at my desk working. And my daughter, who was moving into college that week, she was with her mom and they called me because like I was I was texting with my ex-wife about how we were going to tell her, like literally on the day she's moving into college. I i learned about it.
00:34:43
Speaker
And um my daughter's calls because her friend heard on NPR that I'd been arrested. And so she so she started getting people reaching out to her like, are you OK? Because the FBI put out a press release that was a lie. They they said that they had arrested me when they actually hadn't. I've never been arrested.
00:35:02
Speaker
I don't know why they did that after I asked them to retract retracted a few weeks later and they did. ah But they put out that fake press release that everybody. So everybody thought I was in jail. Yeah.
00:35:13
Speaker
And I had to. call everybody and say, no, I'm not. um That's quite a typo. So it was, yeah, so that was a pretty stressful thing. But at that point, I didn't believe it was going to happen because i I knew what it was like when I was a federal prosecutor. Like we had a million cases we could do. And I only did cases where it just felt like, um ah honestly, it felt like it was a slam dunk each case because you could pick from so many different levels of guilt, so to speak.
00:35:40
Speaker
So, and I knew what really happened in in in this case. and And so I didn't believe, I just didn't believe it. So I was, I was shocked. And then, you know,
00:35:51
Speaker
I didn't go to trial for another two years, so i I went back to work and worked for the next two years and put my trust in my lawyers. I will say that like the other hard part was the first time I went into the federal courthouse in San Francisco,
00:36:06
Speaker
ah a couple of months before the trial, and it just hit me on a whole other physical level. Like here's an office in a courtroom that I've been into as a federal prosecutor and now sitting at the other table was pretty intense.
00:36:19
Speaker
And I always think of myself as a person who stays calm under pressure, because in security you have what could be the worst situation ever come up like once every two months.
00:36:30
Speaker
And unfortunately it usually isn't, um but you know you you have to treat it like it could be the worst thing ever. And so I'm used to that. But when it's about you, it's a much harder emotion. It felt like my brain couldn't think the way I normally can.
00:36:48
Speaker
like Usually i can I can look at a situation and be like, oh we need to do this, this and this. yeah And i was just like, lawyers, please just do what, like my brain just couldn't, um like even sitting in trial,
00:37:02
Speaker
i just like I just felt like I was a zombie version of myself and I wanted to be more active. I think after i lost the trial, i think of it as winning this, we we won the sentencing because that just like knocked me out of my stupor and I was like, I need to own this yeah and and did much more for the sentencing.
00:37:24
Speaker
You worked for Cloudflare through this whole thing in a super high pressure environment and job company that's growing super fast. I mean, how did you manage to do that? That's interesting to me, right? How do you manage to keep working and sort of show up every day? I mean, I guess you're very lucky that they sort of stood by you and they said, we're going to support you through this.
00:37:45
Speaker
I would think focusing on a lot of other stuff would be be hard. For the most part, it wasn't. okay I love doing security work and i mean and that's why I'm back doing it after you know after going through all this stuff and coming out the other side.
00:38:02
Speaker
like um'm I'm working with two public companies and a dozen private companies right now on on their security. and so i'm think like I'm in the weeds of the security of a bunch of important companies right now and I really like doing it.
00:38:17
Speaker
I like working with security engineers. I like working with working with executives who care about security. And it ah it was an escape from having to think about something that would paralyze me.
00:38:30
Speaker
I guess we talked about it a little bit around the work with the nonprofit, the work with Ukraine. you know How did you start to build yourself back up after the after the sentencing?
00:38:42
Speaker
mean, on the one hand, that turned out very well for you, right? And that like you didn't go to jail. Right. um So, but, but. Yeah. I mean, the sentencing was a very important day. it was, it was crazy. It was like out of a movie.
00:38:55
Speaker
People who I'd worked with at eBay, PayPal, Facebook, Uber, and Cloudflare showed up like members of my teams and none of them had seen each other in long times. And also even the Cloudflare team hadn't seen each other because of the pandemic.
00:39:09
Speaker
And so it was this chaos in the hallway of the federal courthouse. The bailiff ah for the for this for for Judge Oreck came out and yelled at everybody multiple times because they wouldn't be quiet in the hallway. And he he was doing this very important trial in another case. And it was like a zoo in his hallway.
00:39:27
Speaker
and And then we went in and I didn't even know this, but the the sentencing hearing was broadcast on video on Zoom, which is almost like you'd never hear a federal courthouse doing a video for the public. You're still bringing tech to the judicial system. Well, the Zoom crashed because so many people joined it. I had people like on the other side of the planet joining in the middle of the night.
00:39:50
Speaker
And so Zoom crashed for a bit. And the sentencing hearing, um thankfully, at the end, the judge said it wasn't a cover-up. There have been a million articles written about my case, but the only thing that's never been quoted is the judge saying, well, this you know the you know the bug bounty agreement wasn't a cover-up.
00:40:11
Speaker
And he said that, and then he basically said, go live your life and sent me on my way. And I got a sentence to probation and community service. And unfortunately, you know, my, for, I can't even remember how many hours of community service, but I did it in a few months because of the Ukraine stuff counted and I did some other yeah stuff locally too.
00:40:31
Speaker
And so like doing community service was not a problem because I was already doing it. And then i wanted to just get back to work. And so I started my own consulting company and I didn't know if anybody would hire me.
00:40:45
Speaker
And, but like recently like, for example, recently a really well known public company, they sent over the consulting agreement. They wanted me to work with their company on assessing their program. They were having a transition in leadership on the security and they wanted an independent assessment and they asked me to come in.
00:41:02
Speaker
And they sent me over the their standard consulting and agreement. And one of the things was, you know i I certify that I've never been yeah charged or convicted of a crime. and i'm like And I thought, oh, I have to reply to them.
00:41:16
Speaker
And they're goingnna like their GC is going to make ah an issue of this. And I'm um' i'm not going to get this consulting. they sent it back and it said they'd revised it and it said, um no cases or convictions, comma, other than in the Northern District of California and the case of, and it had my, they literally put the case number in it. It was like, huh because they wanted me to do the work.
00:41:39
Speaker
yeah And so I've been in the middle of that three month project for them and And initially I was i thought i'll I'll speak at a couple of conferences and I wanted to talk about the case a little bit.
00:41:52
Speaker
Not for me, but for other security leaders because we're in this really fraught place where we're we're dealing with this world of regulation by enforcement where We don't have clear laws about how much a company should be doing on cybersecurity.
00:42:09
Speaker
And a lot of people are afraid to do the job now. and And I get those calls all the time. like I get a call every every time there's a really bad security incident incident it happening.
00:42:22
Speaker
The GCs don't want to hear this, but there are security leaders calling me and talking on the side. Like, i don't want to end up like you. How do I deal with this situation? I want to do right by my company, but I'm afraid.
00:42:32
Speaker
And so I want to talk about that. And so I went and spoke at a couple of conferences and now i I got to the point where I have to say, i have to charge you for me to come do this because I should be doing my job.
00:42:45
Speaker
And now I'm getting paid to go speak at conferences. and And it's because we're in this really difficult place around cybersecurity and expectations. Yeah, I mean, you preempted sort of one of my questions, which I think the first time heard about your case was talking to a law firm partner and we were gonna do a webinar somewhat focused on this for not so much security professionals but privacy professionals thinking about is this gonna have a sort of chilling effect or are people gonna be willing to take on these jobs? you know
00:43:17
Speaker
Maybe someone's willing to be the AGC for privacy but they're not gonna be the chief privacy officer anymore, they're not gonna be the CISO anymore because yeah they don't wanna be the one sort of left holding the bag.

Impact of Legal Issues on CISO Roles

00:43:28
Speaker
Yeah, when i for for the longest time I would get texts or messages or calls from people and they would say, Joe, can you help me get ready? I'm gonna be interviewing for the CISO or CSO role.
00:43:40
Speaker
Now I get a different call. It's, hey, I've been asked to interview for it. Do I really want to do it? right like Things have changed since since my case and SolarWinds case. And then there been a bunch of other ones that aren't as well publicized.
00:43:54
Speaker
But there have been a lot of different regulators across the planet. The SolarWinds was SEC, right? Yes. Yeah. SEC civil enforcement action still pending. What are your biggest learnings or lessons from such a difficult experience?
00:44:09
Speaker
That's a good question. i think I think that having a good support system during a tough time really matters. I was very fortunate in that I have a really strong family. It turned out that the cybersecurity community was there for me. Judge Oreck at our sentencing hearing, he turned to my lawyers and said, don't ever do that again. And he was talking about the fact that they'd given him 186
00:44:32
Speaker
because had support letters of support for me. And the truth is that that wasn't the complete set of letters. My lawyers had said to me, like over this, that like eight month period between losing the trial and my sentencing, people started sending me letters to give to the judge. And, and I, it was, it was a silver lining in the whole thing because I, I joke around that it was like my own Irish wake.
00:44:56
Speaker
All these people writing me letters, telling them stories about how I'd impacted their lives in a positive way. And so like, I'm in that really bad place. And all these letters keep coming in. Like every day, it was like popcorn, another letter.
00:45:08
Speaker
And ah so by the end of of that, I had hundreds of letters and I turned to my lawyers and said, we got to give these to the judge. And they're like, that that's In security, we call that a DDoS attack.
00:45:20
Speaker
It'll shut down the court system. And so let's just give him the 25 best letters. that's That was my lawyer's advice. And I said, no, he needs this yeah he needs to see this yeah because they're they're real stories.
00:45:34
Speaker
and And so the deal I made with my lawyers is I removed all the form letters, the ones that were like, I'm a CISO, and I don't want you to sentence Joe to prison because I'm afraid for me. Like all of those needed to be tossed and then the ones that talked about real stuff added up to 186.
00:45:50
Speaker
So we submitted those and I really believe Judge Oreck read every single one of them just by the way he conducted himself throughout the case. I was very fortunate I had a ah judge who showed up prepared every single day.
00:46:04
Speaker
Wow. As we start to wrap up, I mean, it's such an amazing story, such a challenging experience for you to go through. Yeah, I've got some traditional closing questions for you, which are a lot more fun. Good, like fun. A different sort of mood. Okay, I came up with one different one for you because I think this will be fun.
00:46:24
Speaker
What is it that keeps you up at night as a security professional? It's the risk you don't know about. since It's my job to find all the risks and make sure the rest of the executive team at the company understands them.
00:46:36
Speaker
And like, it's a joint decision to to accept a risk. Like companies take risks all the time, especially startups. And they wouldn't exist if they weren't willing to take some risks, but they have to be intentional about the risk.
00:46:49
Speaker
and And so I need to be able to know about those risks to either make it go away with a technical solution, make it go away with an operational or policy solution or work with the leadership team on accepting it.
00:47:04
Speaker
Sure. And the one thing I don't want to ever have to be is the person calling the CEO and saying, I didn't tell you about this big gap in our security and it's been exposed.
00:47:17
Speaker
What's your favorite part of your day to day today? I like the variety of companies that I get to work with. And i like I like security people in general.
00:47:27
Speaker
security I say security is a noble profession and because I really believe it is. I think everybody in it is in it for the right reason. you You don't go into cybersecurity to become ah senior executive.
00:47:42
Speaker
there'd there' There'd always been a ceiling in security. yeah I'm one of the few security executives who's reported to CEOs. Most don't. and And in fact, they don't want to because they kind of want to be hidden.
00:47:54
Speaker
So it's it's not a it's not a world of ambition. It's a world of passion about technology. And the cool thing about security is it's technology to protect people. And so everybody in it cares about people and like they get they got to a point in their education. They're like, I like technology and I like doing a version of technology that's helping people.
00:48:14
Speaker
Yeah. And you feel it every day when you work with security people. This is kind of a fun one, I think.

Communication and Professional Growth Advice

00:48:21
Speaker
It's if you have a professional pet peeve. I think it's a really big challenge in in my profession in security, and I think I saw it in legal as well, which is that we speak our own language and we tend to we tend to do it outside of our tribe. So meaning like, it's okay to talk.
00:48:42
Speaker
Like I used DDoS yeah a minute ago. Like I shouldn't have done that. I should have said, A denial of a service attack, which is like when you flood a system with a bunch of signals so so much that it can't handle it.
00:48:53
Speaker
right I don't like when we use our insider language and make other people feel uncomfortable in a because most people don't want to speak up and say, when you said that acronym, what do you mean? They don't want to betray their ignorance. And so ah that's my biggest pet peeve.
00:49:10
Speaker
That's a great answer. And I think something that a lot of lawyers and just people, i mean, people who are working in specific industries with their jargon should take to heart. That's great. Last couple of questions for you.
00:49:21
Speaker
Is there a book that you'd recommend to to our audience? I recommend this book all the time and it cracks people up. Like I go back to that the version of the security person who's the the the peanuts character. Yeah. we We need to be engaging with the other executives and the other teams before the problem happens or even becomes apparent.
00:49:43
Speaker
And so I always recommend go back and read how to win friends and influence people because I actually think that we need to We need to take one of those like tactical things to work every day and try and implement it in our relationships outside of our team.
00:50:02
Speaker
That's great. so Okay, last question for you. My traditional closing question. I know you haven't been a lawyer in a while, but if you can think back to when you know you were just getting started at DOJ or at the at the US Attorney's Office, something that you know now that you wish that you've known back then.
00:50:23
Speaker
I have a serious answer and a funny answer. Great. Which one do you want first? Let's do the funny answer first. Okay, the funny answer first. I wish i I didn't know this until I started managing lawyers.
00:50:34
Speaker
No lawyer ever thinks they did a bad job. Okay. So if you're managing five litigators, they will all tell you, i negotiated the best possible outcome sure in this case. No other lawyer could have got a better outcome They're advocates. And they're self-advocates.
00:50:53
Speaker
So I've managed lawyers and I've managed engineers. huh and Engineers are the exact opposite. Code doesn't lie. You type a line and you hit enter and if it doesn't work, it doesn't work.
00:51:04
Speaker
So they get humbled over and over again. And so the managing people who think they've done the best job ever versus managing people who feel like they're always failing, it's completely different.
00:51:18
Speaker
That's interesting. and so I've never thought about it quite that way before. So I consider lawyers much more difficult to manage than engineers. but such might Might be one of the reasons why I haven't gone back.
00:51:30
Speaker
like And so that's that's the funny answer, I think. And then the serious answer was, I wish that I knew about the roles that a lawyer can play inside a corporation.
00:51:41
Speaker
like I think growing up, I didn't know about product lawyer as a concept. For sure. Maybe it didn't exist back then the way it does now. But like I think product lawyer is the coolest job because you're you're helping build stuff.
00:51:56
Speaker
And too much you know too much of security and and legal work is yeah coming in as the fire department afterwards. right And so getting to be part of building something that's going to go out into the world and and and be meaningful, that's really fun.
00:52:11
Speaker
And I really enjoyed the short time that I got to be a product lawyer. at, I think, at eBay and then at Facebook, because you got to be in those decisions on brainstorming, innovation.
00:52:26
Speaker
and and the And I always remember Mike Jacobson, who was the general counsel at eBay, he always got invited to meetings that I i didn't think a lawyer needed to be invited to. And I remember one time I said to Rob Chestnut, I said, why is Mike Jay always invited to all the meetings?
00:52:43
Speaker
And it was because he gives good business advice. And so he was the like, that goal of being a ah leader of the company, you can't, nobody wants a one trick pony.
00:52:54
Speaker
And everyone wants someone who's going to help them think about all of the issues at the company. And so I wish I knew about that, that like as a lawyer, going and being a general counsel, being a product lawyer, being part of a company is very different than from going to the Department of Justice or going to a law firm.
00:53:13
Speaker
who and And so for whatever reason, I didn't have exposure to that kind of like in-house practice, especially in kind of an innovation company. So I wish I'd known about that. That's a great answer. And I think one of the themes of this podcast and something that we're trying to do with with all of our guests.
00:53:31
Speaker
Joe, thank you so much for coming and joining me for this episode of The Abstract and for being sort of so open and in candid with your story and and your experience. This has really been a pleasure.
00:53:42
Speaker
Awesome. Thanks for having me And to all of our listeners, thanks so much for tuning in and we hope to see you next time.