ITSPmagazine Podcast Network

We Need to Stop the Temperature From Rising If We Don't Want to Ice the CISO Role | A Black Hat Europe 2023 Event Coverage Conversation with Joe Sullivan

Episode Summary

Most of the time, for these event coverage conversations, we get to connect with keynote speakers to learn more about the topic they plan to share at the event. During our conversation with Joe Sullivan, we did that ... and so, so much more. Tune in to this (dare we say, approaching emotional) conversation to hear about Joe's journey and all the things he is doing to help keep the CISO role safe and successful.

Episode Notes

Guest: Joe Sulllivan, CEO at Ukraine Friends [@UkraineFriends_]

On Linkedin |

At Black Hat Europe |



Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine |

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine |


Episode Notes

Most of the time, for these event coverage conversations, we get to connect with keynote speakers to learn more about the topic they plan to share at the event. During our conversation with Joe Sullivan, we did that ... and so, so much more.

We talk about Joe's role in prosecuting cyber crime—and the ironic twist where he was charged and convicted as the former CISO at Uber. We touch on Tim Brown's situation with the SEC as a result of the SolarWinds Breach. And then Joe takes this conversation to the stratosphere to shed some light on the trends he is seeing, the rise in the pressure for the role and the rise in the temperature across the CISO community. He discusses the challenges the CISO role continues to face, and how the growing fear of personal liability as a result of the conflict between the public and private sectors could ultimately ice the role and make it ineffective. Joe wants to change this, is leveraging Black Hat, ITSPmagazine, and other outlets to do so. But he needs the community's help as well.

Tune in to this (dare we say, approaching emotional) conversation to hear about Joe's journey and all the things he is doing to help keep the CISO role safe and successful. And, most importantly, how you—a security professional that cares about good winning over evil—can join yet another fight for good.

About Joe's Keynote at Black Hat Europe 2023 in London, England—'My Lessons from the Uber Case': In a case closely watched and debated by security professionals globally, Joe Sullivan was convicted of two felonies related to a security incident at Uber that the company had labeled a coverup when it fired him. The decision reverberated throughout the security community, but still left many unanswered questions. Before the judge sentenced him, Sullivan committed that he would speak wherever possible about the need for a better model for collaboration between the private sector and government. The judge rejected the claims by the prosecutors and Uber that the use of an NDA during the investigation was a coverup, and sentenced Sullivan to probation only.

Today, Sullivan mentors security leaders and consults on security best practices, in addition to serving as volunteer CEO of the nonprofit humanitarian relief organization Ukraine Friends. In a candid conversation, Sullivan will share the lessons he hopes security professionals all learn from his case, so that they, their team, and their company don't ever go through anything similar. He will also make suggestions for how the private sector and government can better collaborate and share other insights about the high-stakes pressures on security executives in an era of unrelenting breaches, ransomware, and automated attacks.



My Lessons from the Uber Case:

Black Hat Executive Summit:

Learn more about Black Hat Europe 2023:


Watch this and other videos on ITSPmagazine's YouTube Channel

Black Hat Europe 2023 playlist: 📺

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist: 📺

ITSPmagazine YouTube Channel: 📺

Be sure to share and subscribe!

Are you interested in sponsoring an ITSPmagazine Channel?


Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.


[00:00:00] Sean Martin: Marco.  

[00:00:01] Marco Ciappelli: Sean.  

[00:00:02] Sean Martin: think it's time. Time for the community. To get together again. Yeah. So, so we had, what was it? RSA earlier in the year. We had a great hacker summer camp mid year. Uh, we had InfoSec Europe mixed in there in the summer and I know Black Hat's Europe is coming, uh, in a few weeks, actually a couple of weeks. 

[00:00:29] Marco Ciappelli: And you know where it is.  

[00:00:31] Sean Martin: It's the same place that we were at before they EXCEL London.  

[00:00:35] Marco Ciappelli: Have you ever left? Have you ever left? Are you still there?  

[00:00:38] Sean Martin: I'm still there. I'm still there, but you know who's going to be there and they have to have a cool. Well, many things they're going to be doing, but one, one of the coolest spots that, uh, one of the coolest events. 

That's the keynote on, uh, on Thursday. And that is Joe Sullivan. For those watching, you've already seen Joe on screen. You haven't heard him speak yet. Joe, thanks for, uh, thanks for joining us.  

[00:01:05] Joe Sullivan: Hey guys, thanks for having me on.  

[00:01:07] Marco Ciappelli: It's going to be a great conversation. And just to make it clear, Black Hat Europe, that's what we are covering with this conversation December 4th to the 7th at the Excel, where InfoSecurity was, and so that's why we made a joke, because we were there. 

[00:01:25] Sean Martin: Exactly. I don't think we're going to make it to Europe, or to London for this particular event, but we do get to connect with everybody that has cool things to say, and we're going to have a lot of fun. Thanks. Someone has really cool, but even more important things to say is Joe Sullivan. Joe, congrats on, on, uh, getting the, the keynote speaking spot there. 

Um, well earned for those who know, uh, kind of the, some of the things you've experienced in the, the, the path that you've, that you've taken to, uh, to arrive at today and to get to that spot on the stage. Um, for those who may not be familiar with you. Uh, a few, a few words if you might, just how you entered the field, some of the things you've done, um, and basically an arrival to, to the Black Hat Keynote, if you wouldn't mind. 

[00:02:23] Joe Sullivan: Sure. Yeah, so I started in security back in the 90s. Uh, I was a, a US federal government employee. I was, uh, and I was the person who in 1995 pushed and pushed and pushed the Department of Justice to let me, uh, have a direct internet connection in my office. Uh, I, uh, soon after became, uh, one of the first federal prosecutors in the United States who was, uh, prosecuting cyber crime. 

Uh, I was doing that actually from Las Vegas, US Attorney's Office. I moved to Northern California, uh, Robert Mueller, who, uh, right before he became the head of the FBI was the U. S. attorney for, for Silicon Valley for Northern California. And he wanted to have a dedicated high tech crime prosecution unit. 

And I was lucky enough to be one of the founding members of that unit. So we were the first team who got to just full time prosecute high tech cases, sitting in Silicon Valley, working most of the time, hand in hand with the different tech companies in the Valley. Um, you know, it was my job to essentially go to the companies and say, tell us about the cybercrime. 

Let us help you. I'm from the government and I'm here to help. And that, uh, led to a lot of interesting, uh, uh, and rewarding cases. I even got to work on the digital evidence side of the 9 11 investigation, uh, along with a lot of other more traditional cyber type cases that we've seen ever since. Um, I then moved to eBay, uh, to take over and run their, um, e crime fraud team. 

And also I managed their policies around what was allowed for sale on eBay. So got to deal with a lot of, um, first of their kind issues. And at eBay, I started, I spent, um, I don't know, I, I racked up a lot of mileage, uh, flying around the world, training governments and law enforcement on how to, um, do investigations on the internet, uh, and, and deal with cybercrime and, and, and spent a lot of time trying to convince government agencies to work partner in partnership with companies. 

Uh, uh, to keep the customer safe and governments weren't investing a lot in cyber security back then or protecting people online. So it was, it was a bit of an uphill battle. Did that at eBay, uh, went over to the PayPal side of the house for a couple of years, and then eventually in 2008, went over to Facebook. 

I was, uh, joined Facebook when we were smaller than MySpace, uh, and stayed through the IPO and to a company with, you know, over a billion customers after we, you know, I was there for when we, we acquired, uh, Instagram, we acquired WhatsApp, we acquired Oculus. So I lived through all of those experiences, um, as the chief security officer of the company. 

I built a security team there from, um, probably half a dozen people to hundreds and, uh, then in 2015, uh, I, I started thinking it was getting a little quiet at our big company and, you know, we had security under control. I didn't have the crystal ball to see the 2016 election and, and, and, uh, Cambridge Analytica and the things that came after my departure, but, uh, it turned, it turns out that, uh, it didn't stay boring for long there, but. 

I jumped in 2015 over to Uber, um, because it was what I thought, uh, the biggest security train wreck, uh, of a company. Uh, you know, they had in 2014 had gone through just about every possible negative public security incident you could imagine. Uh, a really tragic sexual assault case in India that was global news, stories in the United States about, um, Uh, insiders at the company looking up information about customers that they shouldn't be looking at, including even tracking reporters coming to the office for interviews, uh, not, uh, you know, the company's reputation was in shambles. 

And then, uh, to top it off at the end of, I think 2014, they announced a major data breach. So. Outside the news, they also had a massive fraud problem. You know, we're losing money madly. The company was valued at 40 billion already. So jumped in there, uh, and, um, built, uh, a security team from about half a dozen, again, up into hundreds and hundreds, uh, there I oversaw physical security, fraud, um, rider and driver safety. 

So safety of anyone in the car, around the car. Um, hired a chief information security officer under me. So I had InfoSec, investigations, anything at all, uh, security related. That was kind of my job. Uh, that didn't end well, unfortunately was, uh, uh, in the summer of 20, spring of 2017, our CEO stepped down, uh, and those of us who were underneath him reporting to him, we became co CEOs of the company for a few months. 

So I. Got to experience being co CEO with nine other people, which I don't recommend. It's hard to get nine people to agree on anything. Um, and then, uh, we hired a new CEO along with the board and then, um, he fired me in the fall and labeled me as someone involved in a coverup. Um, I, um. You know, kind of landed on my feet in the spring of 2018, went on to join Cloudflare. 

Well, it was a small private company and, um, it was very fortunate, fortunate to be able to work with them for four years up until last October. Uh, and, uh, maybe a little more than four years total. Uh, I've got to see them grow up into, you know, really amazing security company, uh, that probably more than 20 percent of the internet's traffic goes through right now and, uh, um, and, uh, I got to learn a ton from the leadership team there and, uh, I left, I left there last October, uh, I'm the CEO of, uh, uh, A non profit that's focused on humanitarian aid to Ukraine now. 

I spent about half my time doing that. Back next week, I'll be going to Europe a week before Black Hat. I'll be spending a week in Ukraine bringing over and delivering a bunch of laptops to kids who are stuck in remote schooling. Getting them set up, kind of, holiday gifts for the kids over there to get them excited about remote learning. 

It's hard on them. A war zone and we also bring medical equipment and, uh, stuff like that over to help people who are kind of stuck there. And, uh, I also do some security consulting and advising on the side these days.  

[00:09:03] Marco Ciappelli: Wow. Joe, I feel like you just gave me the history of being a CISO and, and cyber crime in five minutes. 

like the history of the world. So I'll be honest, I don't even know where to start, but I do, I do have a point that I made a note. At the beginning when you were you say you were walking into company before you went to eBay and say Representing the government and say how can we help? I put that as a highlight that that quote right there because I feel like from that day or that period or that Intention. 

Uh, it seems that now the the picture is it's a little bit different than how can I help? So am I going somewhere with this? Maybe?  

[00:09:50] Joe Sullivan: Yeah, I know. I know exactly where you're going. I mean, you know, the one thing I didn't mention in that very long bio narrative that I just gave was, Okay. You know, the fallout from my time at Uber was that in 2020, I was charged with obstruction of justice and misprision of a felony by the U. 

S. Attorney's Office that I used to work at. So, you know, the head of the office was a former peer and that was a pretty strange experience to be, um, you know, I used to sit on the prosecutor at the prosecutor table, and then I switched over to sit at the defendant's table. And, um, and so I had to live through, um, you know, a criminal case. 

We went to trial. Um, I lost. Um, and, uh, last May, uh, we had a sentencing hearing, and the judge, um, you know, the government had been arguing, you know, along the same thing that Uber had said that I'd done a cover up. The judge said that the NDA and the work that my team did Judge said the team's work was outstanding, that the NDA was not a cover up, and he rejected the government's request that I be sentenced to prison. 

Um, and so I'm, I'm on probation doing community service, like the work that I do in Ukraine, um, which I was doing before. The judge sentencing, but, um, yeah, so I think a lot about and have spent a lot of time thinking about the dynamic between the public and private sector. I mean, to me, it was the biggest irony of my life that the thing that I've spent more than 25 years championing, getting the public and private sector working together. 

I'm the poster child for not doing it right in the eyes of the government right now. And, um, that's, you know, that's part of what I said to the judge at my sentencing hearing. You know, I was the last person to speak before he issued the sentence. I said, um, if, if you don't send me to prison, I actually, I don't know if I said, if you don't, I said, if given the chance, I will, um, I will go out and talk to everybody I can about how we can do this better. 

We need to do this better. The government and the private sector need to work together. The reality is, neither will succeed unless we're working together. There are real... Bad guys on the internet. I don't know if bad guys is the right word. Threat actors, nation states that are trying to take advantage of the West. 

Um, cyber criminals who are trying to make money. Uh, kids trying to, you know, mess things up for kicks. Um, they're all out there and. Unless, uh, the security people inside our companies and the security people inside our governments work together, neither of us is going to be strong enough alone to get the job done because there's something fundamentally different. 

I get, I, the more I think about it, the more I I've come to appreciate, uh, um, the historic historically, the dynamic between the public sector and the private citizens. Um, you know, if we go back thousands and thousands of years and look at why did people. Bond together in communities. It was for common defense and then, you know, and then we professionalized our defense with, with police and militaries and things like that. 

And we gave them a lot of power in our communities so that they would protect us from the world. Uh, and they, and they, you know, and by and large, that's the way the model has operated for thousands and thousands of years, and it actually works because you know, in the physical world, you can have the. You know, you can have borders and boundaries and you can put your military there and then the people on the inside can feel safe. 

Um, but the internet's different because. Most of the internet is operated in private hands. And so the people in the government who are supposed to be protecting us, they're blind unless the people in, in, in the, in the companies cooperate with them. And so, um, that's why I always, you know, when I wore the government hat and when I wore the private sector hat, that's why I thought we had to work together to protect people. 

And, um, yeah.  

[00:14:10] Sean Martin: So Joe, I want to, I want to talk to you about the, the, the temperature. Um, is it, there's been at least another high profile poster hung. Um, and I think, yeah, it's been, been, been a while since that was kind of alluded to that it was going to happen, but, uh, you know, I know I've always thought and actually wrote a series on this that, uh, am I, the title of the series, blog series is, am I wrong for not wanting to be a CISO? 

Cause I always feel that there's this overwhelming pressure to only succeed, never fail, right? So there's just that level of pressure to begin with. And then when you, when you start now having to deal with. People against you not just the threat actors, but people that are supposed supposedly supposed to be on your side Against you that that completely destroys the the culture like talk about icing a role, right? 

Can I use the word handcuff handcuff the person in the role to not want to do anything that might Be seen as inappropriate or out of bounds or in some gray area that, or, or miss something, even not even intentionally, uh, make a decision, but miss something. So talk to me about the, the temperature and the culture and how you see, we might. 

Raise it to a comfortable level, uh, where we're not icing that role like we are today.  

[00:15:45] Joe Sullivan: Yeah. Well, first, Sean, I'll say you're right. Uh, I spend a lot of time talking with security executives and security people inside companies. Um, first, you know, after I got fired from Uber in 2017, um, really through to my sentencing, I was invited and I spoke a lot with security leaders kind of in these closed door sessions, uh, with Chatham House rule type environments where they just wanted to know what happened to you and how do I avoid it happening to me? 

What are the lessons learned? And, um, they started getting, and so that was part one of the conversations. And then part two was I, I, I get so many of these one off calls, either directly from someone I know or through an introduction and it's like, Joe, I'm really nervous, I'm in a situation right now, I think I've learned about like 99 percent of the breaches that have made public news, I think I heard about them before they became public. 

And I, and then I heard about 10 times those that you never heard of because. I spoke with the security leader there. And the reality is every security leader in a crisis situation isn't only thinking about how do I navigate this for the company and our customers, they're worried about themselves, and it's, and they're scared. 

Um, and so that that temperature was rising and rising over the last few years. And then what's happened with SolarWinds and Tim, the CISO from SolarWinds being named by in, in the SEC fraud lawsuit. Recently it's gone like the, the, the, the panic has gone to like boiling level now and. There's a lot of anxiety and stress and we have to, um, I think part of the problem is that, that, that the panic and stress that's happening in the security community inside the companies, it's not public enough that it's, we need to, I don't think the people inside the government, I think everybody on every side wants the right things. 

I think that the people inside the government. They want to protect people and make sure that people are safe on the internet. And the people inside the companies want the same thing, but neither side understands the other. And so we need more transparency and visibility, and we need to talk about ways to diffuse this heat and get the sides to understand each other, where they're coming from. 

And. I keep saying someone has to do it, and, um, I guess I told the judge that I would do it, and so here I am.  

[00:18:29] Marco Ciappelli: And the big problem, I think, is where you start. Before we, we started recording, I thought about the fact that there are other jobs. roles in our society that if you do that job in fear, you're probably not going to do the job right. 

Um, and then in particular we talk about the medical profession and how everybody expects you to be perfect, but still like Be innovative, do the best that you can and have eyes pretty much 360 all over and even on top of your head. And you're just not allowed to make mistakes, but if you think about that, you're, you're probably not performing at your best. 

And there, there gotta be a safety net, I think, for this. And, uh, and one thing that you mentioned at that point is the fact that you don't go into cybersecurity for the glory. You do because you want to get, you want to be useful. You want to fight crime. And this could be also a perception in the news that I think sometimes they just push the negative conversation. 

So maybe a couple of points of perspective from you on this.  

[00:19:43] Joe Sullivan: Absolutely. I think we all at different points in our career, reach these, reach these forks in the road. And I had one of those. At a certain point, uh, I was at a path, you know, I had been a lawyer and I was working inside tech companies and I was getting recruited to go be a general counsel of companies and I chose a different path. 

I chose security instead. And hung up that lawyer, put away that lawyer degree and focused on managing engineers and playing defense as a team, uh, because it felt so much more rewarding to me and I liked the people I was working with. I mean, put aside that, uh, engineers are much easier to manage than lawyers. 

That's a joke story for another day. Um, but, uh. When you work in security, you feel like you're surrounded by mission oriented people. You know, I spent the first eight years of my career in government service. I went into government straight from school. And, and I, at the time I thought I would stay in government my whole career and my whole career had I always wanted to be focused on helping people and doing things that felt mission oriented and rewarding. 

And I love working around people like that. You could sit with any security team inside any company in the world, and that's the passion. I mean, sometimes that passion makes it. We get in our own way because we're so security absolutist, uh, and, you know, we butt heads a little too much with the other teams inside the company or money absolutist. 

Um, but, uh, you know, usually we, we love our work because of that passion and. What we don't want is what has the potential to happen right now. And what I think is happening a little bit, I do know people who've, who've stopped being security executives who've stopped being CSOs or CSOs because they said that, you know, the water I'm in is starting to boil a little too much. 

And I think I. You know, I'd rather go, um, be a consultant or I'd rather go work at a startup in an engineering role, or I'd rather go, um, just be on, on the outside. I mean, I know when, um, when you step away from the security, when I stepped away from the security executive role at, at CloudFlare last year, I mean, I. 

I felt two weights lifted off my shoulders. The first was the responsibility. You know, you're the person inside that company who has the responsibility to make sure that the company doesn't get hacked and all your customers hurt. That's a heavy responsibility and that's heavy enough. That's a weight that a lot of people are happy and willing to take on because it, because of the mission, because of the responsibility is a good responsibility. 

But, but I also felt the weight go away when I stepped away because I knew I was not going to be in a situation where I would be second guessed. And that is, that is a, um, what I think my job now. Is partially about and why I want to, I'm looking forward to doing this, these talks at Black Hat and wherever anyone else will invite me to speak, uh, is because I think we need to get people to understand that having that pressure. 

Like, we want people to take the, that first pressure on and do it well and run with that weight. Uh, and we want the strongest people to take on that weight because they'll carry it. The, you know, the furthest and the best. Uh, but if we, if we don't deal with that second issue, you know, people aren't gonna choose to play the sport. 

[00:23:42] Sean Martin: So let, let, let's talk about all the things you're doing. Uh. in London. Uh, three days, three different activities, uh, culminating on the third day with your keynotes. So we'll end there. Talk to us about the other two events or activities that you're, you're involved with. And I really want to know, I'm, I'm thinking from security executives, security leader, maybe even practitioners aspiring to sit in that role. 

Um, but might, might have concerns. What are those, yeah. Activities, conversations, presentations, about. Um, what are you going to say? What, what are you going to hear? What, what's the objective for each of them?  

[00:24:32] Joe Sullivan: Yeah, I, um, I out like one of my goals is to learn as much as I share, uh, every time I get out there and like the reason I like going to conferences like Black Hat and I've been going to Black Hat in Vegas for forever. 

And. Um, I'm excited to go, uh, in London, uh, for my first Black Hat Europe to, to, to get, to get to know that community in Europe a little better. I've, I've done lots of security events in Europe and keynoted conferences and. And in countries across Europe and managed teams across Europe, but I missed that. 

I haven't had that chance in a bit and I wanted, I want to learn, um, how it's going over there in terms of the pressure that I'm learning so much about that people who are in the, in the role right now are feeling in the United States and other places that I want to compare notes and, and all that. So yeah, three days, um. 

One of the things that Black Hat does really well is, um, they put on an exec summit, uh, in, in, in Las Vegas for Black Hat USA. It's, it's called the, um, CISO summit. And then, uh, in Europe, it's called the exec summit. And it's, it's the thing that when I, when I was a baby CISO, when I was the first running security at Facebook, I felt so out of my depth as a security leader, it's a really, really lonely position. 

You. You are supposed to look to the exec team and the board like you've got it all figured out. You're there, you know, you're the person who's the top expert in the company on security. So you can't show weakness to them. And then you you're managing a whole team of security professionals and they all look up to you and you're the leader and you're supposed to inspire them and you can't show weakness to them. 

So who do you turn to to ask questions? How do I do a better job communicating to the board? How do I better do a better job fighting for resources? How do I do a better job making sure that I'm prioritizing the right things? Um, where should I be proactive versus reactive? The CISO community is amazing in that regard. 

We all have leaned on each other. I have so many mentors and I've tried to be as give back as much as, and so the best. thing that I could ever do as a security leader was go to something like the Black Hat Exec Summit and get in the room with my peers and say, Oh, you know what I'm struggling with today? 

This. And then the like, Oh, here's how I solved that. It's just, it's so incredibly valuable. Um, and it's a different conversation than it happens, you know, in front of. Of the teams, because it's, it's where the leaders can be vulnerable. And so the first thing I'm doing in London this year is, uh, I'm going to spend a full day at that, uh, exec summit, and I'll be one of the keynote speakers there and I'll talk about the cases and the stuff we're talking about, but specifically with the lens of the security leader as an individual, how can they, um, think about these things? 

And in that environment, That's  

[00:27:48] Sean Martin: a chat mouse rules environment where. You can share freely and what, what happens in that room stays in that room. And likewise, the other people in there can share with you as well and each other.  

[00:28:01] Joe Sullivan: Yeah. And, and what happens in that room is amazing because it's not one person standing there talking at everybody. 

It's a room full of experts. It's the people who are at the top of the profession and there's not a person in the room who doesn't have a valuable perspective. And so it's, you know. I sparked the conversation by standing up on the stage, but I want to be there for the whole day because then when I get off the stage, it's all the little conversations that will happen the rest of the day into the evening with those people that will be the most valuable parts of it. 

And so that's day one. I mean, that's what I did. I did a version of that for Black Hat USA. And, um, I think that went so well this summer that the leadership team from Black Hat reached out and said, Could you do a version of that, uh, as a main stage keynote for us? Because it, it just, everybody was just, like, like I said, it wasn't just me, it was the conversation. 

Um, and so I, I, I enjoyed that so much. I, I was talking to the organizers of Black Hat Europe and they said, Well, we do this thing, um, kind of like community sessions that are very interactive. And, um, Would you be interested in doing one? And I said, sure. And so that's the second day, uh, I will, um, have a community session. 

Uh, it will be, um, it'll be more informal. It'll be, you know, it's kind of like, uh, I'll be in a room and if people show up, we'll get together and we'll just kind of talk. And so that can be more like Q and A and dialogue. And, and I thought that was a good idea because I, um, I did a different talk at DEF CON, uh, this, uh, past summer. 

I talked about this case from the perspective of the security researcher and how we want to continue to promote security research. But after the session ended, so many people from the DEF CON community came over and wanted to talk. The Dagoons, the security people from DEF CON, they, they literally went and grabbed a giant room next door and herded us all into it so that the next session could happen at DEF CON. 

And we ended up staying in that room and just talking. For two hours, just kind of, and so I'm, that's what I envisioned is going to happen on day two. It's just, we're going to just have a conversation with the community. Um, and I will, like I said, I will learn so much because I don't get to interact directly with people, um, as much as I would like to. 

And so that's day two and then. I think probably at the end of day two, I'm going to have to go and tweak my keynote speech for day three, because I will have learned, I will have learned so much from those two days. I never liked going to a conference and showing up, just walking up on stage and speaking. 

I always want to get to know the people that I'm going to be. engaged with because nobody wants a canned speech. Everybody wants something that's relevant for them. And I think by the time we get to day three, um, and I get to do that keynote on the main stage, I'll be able to share back to the, to the, to, you know, the whole community, not just how I think about these issues, but how all of the executives and attendants think and how a bunch of the people, you know, from, from different angles of the security community are thinking about it. 

And, um, And then, you know, and then I, I will give a better talk because of those first two days.  

[00:31:26] Marco Ciappelli: You know, I'm thinking to going back to you talking about standing in front of the board and everybody expecting you to be the person that knows everything. And also how I may piss off a couple of people here, but I don't know if they really care to know how it works. 

They just want you to care about. Not getting in trouble, right? But in an ideal world, I would love for other C level people to be at that keynote that you're about to give so that you can kind of see things from the other perspective. It's called empathy and probably it would help a lot of people to get there. 

[00:32:08] Joe Sullivan: You know, uh, I think you're right. Uh, I've had some, I've spoken at some events, uh, recently I spoke at an event in Washington, DC. It was a smaller group, um, uh, it was a group of company leaders with their, um, security executives. And, uh, all of the security executives wanted to come up to me afterwards and say, thank you for talking about this in front of my boss, um, because my boss needed to hear this and I think, and I think we are at, um, I think there's actually, uh, one of the things I tell this, I will tell in the exec session on, on the first day, right now is the right time for every security executive in every company in the world to go to their general counsel and say, We need to have an exact session and talk about what happened in the SolarWinds case and what happened in the Uber case, because Of two things. 

Number one, do you know what the judge said at my sentencing hearing? He said, where's the CEO and where's the company? I don't understand why the security leader is the only one here. It doesn't make sense to me. That's what the judge said at the sentencing. He didn't say to me, he said it to the United States department of justice. 

He put them on the hot seat. He said, why didn't you charge them? And I think that was a very clear message from, from the judge. And he wasn't just speaking for himself, he was speaking for all the judges. And I think he was also speaking for the public. Um, and that was number one. Um, but number two, um, you know, with the SEC, um, getting involved here in the United States, um. 

In the SolarWinds case, um, they might've named the, the, the, the head of security in the action, but their, their message is also broader, you know, they're, they're, the SEC, isn't just coming at it with this one case. They've also, you know, put a bunch of regulation in place. That's about to kick in, in December that puts. 

Companies on notice that they need to be transparent about their investment in security. They need to be transparent about how much security skill they have on their board and so on. So, um, I saw an amazing, I saw a scathing article, uh, this week talking about what's happened over at Clorox where they had a security incident and they're apparently, I don't know any of the, uh, close facts. 

Um, but like just from reading it, uh, from a distance, it sounds like the CISO got fired and the board got a raise and the CEO got a raise and people aren't happy about that. Um, you know, we also have the example of the Drizzly case where the CEO. Um, personally was named by the FTC and we have the Yahoo case where the board was sued. 

Uh, so I think that, you know, I think the temperature is changing, not just for the security leadership, it's going to be the rest of the company that's going to be held accountable. And honestly, from the standpoint of the CISO, that's the right thing. Uh, one of the things that the world doesn't. I think the world at large doesn't appreciate how hard the role of a CISO is and how limited your power is inside an organization. 

You know, I believe if you stopped 12 people on the street and said, Hey, company X had a security problem and people got hurt and they have a head of security, who should get fired? Everybody would say the head of security, right? Cause it seems logical. But then what if you said, well, that person had been raising the red flag for the last five years, asking for more resources, not getting it. 

Uh, the company had a risk register and just listed all the things that the CISO was worried about, but didn't fix them. And, uh, the, the company does not, you know, have world class and every, in, you know, seven out of 10 areas of security, um, who, who, who should be at fault for that? It's, it's, it's not one person who has the security title. 

And, and so, but the world doesn't know that. And, uh, you know, we have to scream more loudly, you know, me speaking at Black Hat's not going to like raise awareness outside of the security community, but this is first step. 

[00:36:34] Sean Martin: I love it. And maybe as we, uh, as we wrap here, Joe, I want to give you the. The final word is that we started with a collaboration between public and private, and you just mentioned that we, we need to have more transparency and, and we talked about having a vision to work together to be partners in this, right? 

Not against each other. So, what, what do you hope folks get from. Your time in all those sessions that you're doing from a perspective. Yeah.  

[00:37:10] Joe Sullivan: So I, I have three specific areas that I, that I'm going to go deep on the recommendations that we just don't have time to get into here and hopefully people will come to this, come to the events to, to hear these things. 

But I think, you know, there's a lot we can do proactively. To, to prevent these worst case scenarios from happening. Uh, one of, one of the best, uh, mentors and leaders I ever had. He was the CEO at eBay back in the day. I went to him and I said, Maynard, I feel like every day I, all I do is put out fires and my team is just drowning from putting out fires and he said. 

If, if, if it's your team's job to put out fires, build a fire department. And I was like, what do you mean? He's like, well, you can go buy a fire department. And even while a crew's out putting out a fire, you'll see another crew's asleep and another one's polishing the engines. Like you staff it right. You structure it well, you plan for, you know, you have ladders that are long enough for the, you know, the tallest building in town, you state put this. 

Yeah. It's like you plan ahead, you'd be proactive and then you can put out all the fires and your team won't burn out. Well, There's a lot we can be doing in security and, and I've put together a lot of best practices, you know, not just on my own from, you know, my experiences, but from talking to lots of people over these last few years. 

So I think there's a lot we can do to get ahead of this stuff. That's number one. Number two. I think we still have to, you know, assume, you know, prepare, assume the best, but prepare for the worst. And CISO security leaders and even security teams have to have their own personal incident response plans. 

Like what I had to go through in terms of being fired and having my name plastered on the front of every newspaper in the world and having to like hire a PR person, multiple law firms in the middle of the night without a computer. Like, I don't want anybody to go through that. And if, but if you have to go through it, you know. 

Let me tell you how I would have done it a second, you know, if I had to go through it a second time because I'd be prepared and then it wouldn't have as big an impact, a negative impact. Um, and then the third thing is I think the most important is we have to fight through that, you know, the anxiety, the desire to curl up in a ball. 

We have to actually stand up strong. We need to go walk over and talk to the government, put out our hand and say, let's work together. Let me tell you about what we're doing. Let me tell you about our struggles. Let me tell you about our challenges. And, and by the way, tell me about yours. Maybe we can help you too. 

And I have a bunch of ideas on that area too, because I don't want my case and Tim's case and others like it to stand for the end of cooperation, because like we said earlier, we have to come together. We have to work together. And so. What can we actually do to get to a better place? And there are lots of government agencies and private companies that are working well together. 

And we should celebrate that stuff and look at the best practices.  

[00:40:05] Sean Martin: So to answer your question, Joe, what do we have to do? We, we, we connect with you in London at the Excel London. December 4th through the 7th. Join you if you're able to go. Not everybody is. If you're able, if you're an executive, and you're able to go to the exec summit, I definitely encourage you to. 

I had the privilege of attending one of those. Not certain how I got in, but anyway, I had the privilege of doing that. It's well worth the time. Um, and of course, community sessions. That's, that's where a lot of, a lot of real stuff happens as well. And I think you just teased out three, Super important things that, uh, security leaders and their, their teams and their, their executive leadership peers need to know about the role and. 

Being prepared. And so that's where I suggest everybody starts. December 4th through the 7th. Excel London, Black Hat Europe 2023. Joe, your keynote session is Thursday, the 7th, 9 a. m. there. And, uh, I expect a full, fully packed standing room only, uh, session there for you.  

[00:41:10] Marco Ciappelli: Yeah, because, this may sound like, uh, and look if you're watching on YouTube as a personal keynote session, but I know there is a lot more. 

Um, when you're going to actually deliver the keynote. So I definitely encourage everybody to go. And I want to thank you so much. Fascinating conversation, uh, made me think a ton and I'm hoping that our audience is going to think a lot as well. I'm sure they will.  

[00:41:37] Joe Sullivan: Excellent. Thank you for having me.  

[00:41:39] Sean Martin: Thanks, Joe. 

And thanks everybody for listening and watching, uh, one of a number of. Sessions that we'll have here as we continue to cover Black Hat Europe 2023, still 2023, in London. And, uh, yeah, I think we've already recorded another one and we have a bunch of other sessions lined up as well. And, uh, so stay tuned and, uh, share, attend the event, connect with your peers, have those conversations, and, uh, let's, let's be better together. 

Thanks, Joe. Thanks, everybody. Thanks, Marco.  

Thank you.