Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber. Then he was fired in 2017
Joe Sullivan was a rock star in the information security world. One of the first federal prosecutors to work on cybercrime cases in the late 1990s, he jumped into the corporate security world in 2002, eventually taking on high-profile roles as chief of security at Facebook and Uber.When the security community made its annual summer pilgrimage to Las Vegas for two conferences, Sullivan was an easily recognizable figure: tall with shaggy hair, wearing sneakers and a hoodie.“Everyone knew him; I was in awe, frankly,” said Renee Guttmann, who was chief information security officer for Coca-Cola and Campbell Soup. “He was an industry leader.”So it came as a shock to many in the community when Sullivan was fired by Uber in 2017, accused of mishandling a security incident the year before. Despite the scandal, Sullivan got a new job as chief of security at Cloudflare, an internet infrastructure company. But the investigation into the incident at Uber continued, and in 2020, the same prosecutor’s office where Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced potential criminal liability for an alleged data breach. Sullivan has pleaded not guilty to the charges.Sullivan stepped down from his job at Cloudflare in July, in preparation for his trial, which begins this week in U.S. District Court in San Francisco. Other chief security officers are following the case closely, worried about what it means for them.Chief information security officers, or CISOs, are responsible for ensuring that their companies’ data remains safe from hackers and fraudsters, a high-stakes job that has become increasingly tricky.In the past year or so alone, T-Mobile, Planned Parenthood and NFT marketplace OpenSea have been hacked. Perfect security is impossible, and now CISOs are wondering what happens if — or rather when — they fail. If Sullivan is convicted, they worry the outcome could set a precedent for who is at fault for a data breach. Could they be left holding the bag?Also read: Cybersecurity awareness, education dismal in Indian boardrooms
©2019 New York Times News Service