Intro Music 

‍

Tyler Finn
How do you make the transition from federal prosecutor to security leader? Help secure some of the world's largest technology companies. And build yourself back up after being convicted by a federal jury for your company's handling of a data breach. on the abstract by Joe Sullivan, CEO at Joe Sullivan Security and at Ukraine Friends, a nonprofit focused on providing humanitarian assistance to the Ukrainian people. I think that's a really cool mission and I'm excited to talk about that in addition to security. Before launching his own consultancy and the nonprofit, Joe was the chief security officer at Cloudflare, Uber, and Facebook. He spent time in legal roles as well earlier in his career working on regulatory, privacy, trust, and safety issues at companies including Facebook, PayPal, and eBay. Joe started his career as an AUSA in the computer hacking and IP unit of the Northern District of California. And he spent time as a board member at the National Action Alliance for Suicide Prevention, something that I think we can all agree is a very important mission in our country today. Joe, thank you so much for joining me for this episode of The Abstract, recording here in San Francisco.

‍

Joe Sullivan 

Hey, thanks for having me on. I'm looking forward to this.

‍

Tyler Finn
Okay, we're going to talk a little about your career today, but I think it's too interesting and timely not to bring up Ukraine, given your work there. You recently returned from a trip to Ukraine. What's the situation and the mood like over there?

‍

Joe Sullivan 

Yeah, so this was my fifth trip to Ukraine in the last two years. And I got back about a week and a half ago. And I would say that the people there are in a good place. As good a place as you can be, being a small country in a war with Russia, which is a really hard place to be. Every time I go to Ukraine and then I come back, people say, oh, you're so noble for going. And on the inside, I actually feel selfish, because I believe I get more out of those trips than I give, because the people inspire me so much. What I've seen over the course of all these trips and traveling around the country and spending time with people who are suffering is that they've come together as a country, as communities, in ways that I think we've forgotten about here. There's nobody I meet there who isn't doing something to help other people. I can have a big bag of medical equipment and I'll say to somebody, I need to get this to this town that's near the front lines because there's a surgeon who needs them. And within 20 minutes, I'll have three different people who know somebody who's driving in that direction. And then within six hours, I'll have a picture of the surgeon with the package. And over and over, and I've experienced things like that there. And so I just like that reminder of people helping each other, and also just their general resilience in the face of what seems like overwhelming odds. They're let us caught up in the roller coaster of following the news because if they did, they would have, over the course of my times there, they've been

winning, they've been losing, they've been having full support from the United States, they've been having no support from the United States, there's a new president coming who might not support them. There's a new president who-

‍

Tyler Finn
Exhausting.

‍

Joe Sullivan
It could be exhausting for them. And they do pay attention to the US news. It's covered every day because we, as a country, really help them. One of the other things that I appreciate when I go there is that people stop me and say, thank you. They say, you're from America, right? Thank you. And thank everybody else because they know about the support that's come. They've personally experienced it, many of them, and so they're very grateful to our country.

‍

Tyler Finn
What was it that motivated you to take on this challenge? Tell us a little bit about the work that you're doing there as well.

‍

Joe Sullivan 

Sure. So I started doing this at probably the lowest time in my life. So in 2017, I was fired from Uber. And in 2020, I was indicted. In between, I started working in a company called CloudFlare, which was a small private company, and it's since become a strong public company. And I went into CloudFlare and built their security organization from 2018 to the end of 2022. And so I was there for 4 and a half years. And I was there at the beginning of the full-scale invasion. Right before the full-scale invasion, the United States government reached out to us, Cloudflare, and asked if we could help the Ukrainians. If you remember, in February of 2022, President Biden was saying, Russia is going to invade Ukraine. Everyone was like, no, that's not happening. But U.S. Cyber Command, in anticipation, asked us to deploy in Ukraine. So I was remotely from here in Northern California supporting Cloudflare deploying our product inside Ukraine. And then in the fall of 2022, summer fall of 2022, I went to trial, lost the trial. And that was when I hit the low point. Because even me being indicted working at Cloudflare was hard for Cloudflare in terms of they lost customers because they chose to stand by me. And there were corporations that decided it was too much of a compliance risk to do business with Cloudflare when they had a CISO who's facing a criminal case. So I had reached agreement with the founders who had been very supportive that I said, I will leave if I lose the trial because that would just not be good for the company. And so I left after, so I lost the trial at the beginning of October of 2022 and decided I need to do something. After about a month of just moping and going down into that dark place and having to start thinking about facing a sentencing hearing and potentially going to prison and all that would come from that. And people don't appreciate this, but when you get convicted of a felony, all your bank accounts get shut down. Your homeowner's insurance cancels you. Your car insurance cancels you. And so I was dealing with all those things, but I wasn't working anymore. And so I reached out to a bunch of different non-profits that I'd helped over the years when they were happy to be associated with me. Essentially, they all said, we can't afford to be connected with you, which was very frustrating and hard to hear because I'd given time and energy to these organizations. Then I didn't give up then. I was talking to a friend of mine, he was the recruiter, he was the recruiter who placed me at Uber, so he owes me one for that. But he'd also placed me at Cloudflare and some other things, like I was an advisor for Whoop, the fitness band company, through him. And we still work together on projects. And so I reached out and I said, I would like to do something volunteering related to Ukraine. That was the most inspiring thing I did during my last year at Cloudflare. And he got his recruiters to work. And then he called me back a few weeks later and said, there's this organization, it's called Ukraine Friends, their CEO's transitioning and they need a new CEO. I said, wait a minute Jared, I want to volunteer a few hours a week doing cyber helping Ukraine, not become the CEO of a nonprofit. He's like, talk to the board members, talked to the founders, and I did. And then I talked it over with my wife. I was like, this is not cyber. I can't do this from Northern California. I'm going to end up having to go to a war zone. Are we okay with that? We talked it all through and decided to do it. In the beginning, so I jumped in. My first trip was in early 2023, about two years ago. And before that, the nonprofit was very focused on medical equipment, ambulances and things like that. So I actually flew to Virginia to an ambulance reconditioning facility and worked on shipping over 22 ambulances. Unfortunately, in Ukraine, when the ambulances go near the front lines, they get targeted, and so ambulances are few and far between there. So we were shipping over ambulances and other medical gear. Fortunately, within a short period of time, donors from around the world, more governments, started providing good quality medical equipment. And so the need for that went down. But on my first trip, a friend of mine gave me 20 laptop computers, and I brought them over, and I ended up giving out 10 at a Catholic orphanage and 10 at a Jewish community center. And seeing that what I found was that the people who were getting the least support and attention were the kids. And think about it like this. We had a pandemic and all of our kids had to do remote schooling for a year or more. Well, so did the kids in Ukraine. And then just as they were coming out of the pandemic in 2022, they ended up in a war. Half the people in the country moved to the West from the East because of the danger. And a lot of schools were getting hit. And as a result, a lot of children were forced into remote schooling. And they were doing them on their parents' phones because they didn't have computers because you couldn't go online and order a computer shipped to you in Ukraine. You still can't. So that inspired me to start talking to more of my friends who run security and IT at large corporations and as a result, I've been able to get a steady supply of laptop computers shipped over and into Ukraine, and we distribute them. We set up basically a web form where anyone in the country could submit a request to us. We wanted to narrow it down so we only take requests for children who can't afford a computer and they've lost a parent in the war. And so every kid that we, generally speaking, every kid that we give a laptop computer to is someone whose dad has died in the war. So when I was over there two weeks ago, I went to a school, we gave a bunch of computers to some teachers who were leading the remote learning. They were using these old desktop computers that they had to go to this warehouse to teach from and some of the students from that school. And then I met with a group of widows, young women in their 20s and early 30s who've all lost their husband, who are trying to get into job training programs, but didn't have computers. And they had tested well, but if they had a computer, they could go learn IT.
And so, gave them a bunch of computers. And so that's basically what I do. And the cool part about it all, is that every single computer that I've gotten and chipped over has been donated through somebody that I know through working in cyber security.

‍

Tyler Finn
That's amazing. I was gonna ask you, you know, why'd you decide to do this sort of humanitarian work instead of security? I mean, it's totally obvious. It's self-evident.

‍

Joe Sullivan 

Well, you know what? The most amazing thing I learned from it all was that when I started doing it, I was in that really bad place, personally. I felt like my life is not in my hands anymore. It's in the judge's hands. In six months, eight months from now, I'm going to have to go through a sentencing hearing, and my whole life could be completely disrupted. I wanted to have some sense of control in my life, number one. But number two, the thing I learned was when you feel bad about yourself, go help someone who's in a worse place. Then all of a sudden, your problems don't look so bad. There's nobody I meet on the ground there who's in a better position than me, even when I was going over there before my sentencing hearing. Yeah, and so when I was there, I wasn't worried about my sentencing hearing. I was worried about these people and caring about them and inspired by their resilience in the face of what they're dealing with.

‍

Tyler Finn
We're going to talk about the trial a little bit later and in the sentencing hearing and that sort of thing, but that wasn't, that isn't the entirety of your career, right? And that's not where it started. You also didn't start your career in security. You were a lawyer, you were a federal prosecutor. How did cyber feature in your sort of early career and early work and where did that eventually lead

‍

Joe Sullivan

Yeah, yeah. I graduated from law school in 1993 and went straight into the U.S. Department of Justice. I had, I did, it's called the Honor Law Grad Clerkship. It was kind of the only way you could get into the U.S. Department of Justice straight from law school. I did that, and it was a year of clerkship. Then I went to a law firm for a few months and then realized I didn't want to do that and quickly got back into the Department of Justice. While I was in the Department of Justice to let me have an internet connection. I remember we would go down the street to the Bank of America building to get on the internet because they had a free internet terminal in the lobby or something like that. We'd be doing work-related research on a free internet terminal down the street. I convinced the Department of Justice, they wouldn't let me put my DOJ computer on it, and no one else in the office was allowed to use it. But I wanted to use the internet for researching, because I was dealing a lot with political asylum cases and complicated international things, and being able to pull up newspapers from the other side of the planet would be really helpful, and to have some context for the cases we were working. So that was kind of my first... And then a few years later, I was in the US Attorney's Office. I moved to Las Vegas for two years. I was in the US Attorney's Office there. And when I got there, the Department of Justice had started a program called the Computer Telecommunication Crime Coordinator Program, where they wanted to train one federal prosecutor in every office across the country, so all 94 districts.

‍

Tyler Finn
That's pretty smart actually.

‍

Joe Sullivan

Yes, it was started by Robert Mueller when he was in Maine Justice back in the mid-90s. And so I was, A, I think the only prosecutor who had a computer on his desk and B, the only one under the age of 30. So they were like, you must be the high-tech guy. I was like, I am. And so I started doing high-tech cases from there. And then shortly after, Robert Mueller became the U.S. attorney here in Northern California, and he said, I want to have a full-time unit doing high-tech cases, and he asked me to be part of that team, and so I got to be the first full-time cyber federal prosecutor in the country. 

‍

Tyler Finn

Wow. 

‍

Joe Sullivan

And was just here going around to companies in Silicon Valley saying, hey, tell me about your cyber crime problems. And they would all say, we don't have any, just like today. So that's kind of how I got into doing it. And the Department of Justice gave me a bunch of specialized training on how to use the... I got special computer and we had annual specialized training programs. And I worked a lot with the FBI, Secret Service, and different agencies that had dedicated cybercrime investigators.

‍

Tyler Finn
So the transition to working in tech companies then, eBay, you did Trust and Safety there, I actually just had Rob Chestnut on my podcast, I think you probably worked with him there, you know, working on privacy issues. I mean that seems like a totally natural transition from being a prosecutor who is very tech savvy and who actually has experience prosecuting cyber crimes. But then you end up taking on security roles later on. And I think, you know, chief security officer CISOs are often very talented hackers themselves, maybe. How did you make that transition?

‍

Joe Sullivan 

You're right, Rob Chestnut played a very big role for me. He's one, I consider him one of my most important mentors. He contacted me from eBay and said, would you consider coming here? I'm being elevated into this head of trust and safety role.

‍

Tyler Finn
When you were at DOJ.

‍

Joe Sullivan

When I was in the US Attorney's Office. And so we had this really interesting conversation. I said, I get to help the company make decisions that will prevent harm from happening. You as a prosecutor, you only clean up the mess, so to speak. You come in afterwards and deliver punishment to the person who did wrong. If you come into a company like eBay, you can oversee policies and engage with product managers and engineers to educate them and help them build a better, safer product. And so that really resonated with me. And when I went to eBay, I reported to Rob. And then I think after a couple of years, it was kind of murky where trust and safety ended and legal started. Someone named Kent Walker joined. He's the general counsel of Alphabet now. And so I had two managers. Kent was my legal manager and Rob was my operational manager. And I oversaw on trust and safety, I oversaw a whole team of investigators and fraud prevention people and I oversaw some other operational teams. I was responsible for the policies around what's allowed on eBay, which have some legal implications but extend a lot beyond that. I think for four years at eBay, I was wearing both hats, probably like 75% operational, security and safety. During that time, I started spending a lot of time with the InfoSec team at eBay and the InfoSec team at PayPal. After four years of wearing a little bit of legal hat and a lot of operational hat, I was like, I got to pick one or the other. And I was given the opportunity to go run the legal team at the North America legal team for PayPal. So I said, goodbye, trust and safety. I'm going to go be a lawyer full time. I think I was meant to be a lawyer. And I went to PayPal and I got to manage the... That was a great experience. I made it to essentially to be acting general counsel at PayPal, and general counsel was able to take a sabbatical and go away for a while. So I got to be part of the leadership team, sitting in as part of the exec meetings, doing things like that. And then I started getting recruited for general counsel roles. And I was like, I'm not sure I really want to do that. I seem to spend a lot of my time hanging out in the other half of the building with the PayPal security team. The eBay team never stopped calling me, so I had my official job running PayPal Legal North America and my unofficial job doing security. Then in 2008, I got recruited over to Facebook when it was a small company, smaller than MySpace, and they needed someone to do product counseling around financial services stuff and probably compliance and operational stuff as well. So it was kind of a hybrid role again. I left PayPal and went to Facebook in 2008. When you go to a place like Facebook in 2008, it's growing so fast that you just end up doing 100 different jobs. Sure. And before I knew it, I was managing some lawyers and then they asked me to manage... I really enjoyed those first couple of months where I didn't manage anyone. It was really nice to get back to just doing work. But then I ended up managing, I think, a couple of lawyers and then our general counsel asked me, would you go oversee security. And so actually initially I managed the CISO. He was like a very early employee who'd already passed, you know, essentially vesting and stuff like that. And he was just there really to help and so eventually he transitioned out and then I became the chief security officer at Facebook.

‍

Tyler Finn
What was the learning curve for you like as you took on that security role at Facebook?

‍

Joe Sullivan

It was pretty intense. But I'd been through the process of, when I moved into that PayPal role overseeing the legal team, all of a sudden I was responsible for attorneys and functions that I'd never overseen before or worked in. So patent lawyers and litigators and commercial lawyers. And you realize that your job as a leader is not to become the subject matter expert of everyone on your team, but to figure out how to support them best. And so I didn't feel the pressure to go learn every detail of every corner of security. And I was fortunate that I inherited some pretty strong people, and then Facebook being the company it was back then, people wanted to work there. So I was able to build a really strong team really quickly and then I just leaned on their shoulders a lot. But the growth curve for me was more about learning to be a real executive and not spend all my time with the team. Facebook gave me an executive coach and I never forget the number one lesson that she taught me which was, I was spending 90% of my time with my team and 10% with the other executives, and I needed to change to be 50-50. I needed to start to think of the other executives as my team as much as I thought of my team as my team. And so that was the harder transition for me than the technical side, because I'd been involved in cybersecurity and just kind of eating it up for over a decade at that point.

‍

Tyler Finn
You referenced, I mean, later on at CloudFlare, you know, being brought in by US Cyber Command. I mean, talk to us just for a second about the sort of enormity of the challenge that CISOs or chief security officers face these days with all these zero-day hack opportunities. And I mean, I know a little bit about this, right? Not nearly as much as you do. It just seems like a huge problem, especially when you throw nation-state actors into the mix.

‍

Joe Sullivan

Yeah, it's not a fair fight. First of all, your organization, your company, doesn't really understand what you're doing most of the time or understand whether the money spent on your program is money well spent. Because the absence of a problem doesn't mean that the money was well spent. You might have just been lucky. The absence of a problem leads everybody to think they should lower your budget. And so it's just kind of like this strange dynamic. You're doing this work that no one else understands. It's also, I actually think it's very similar to what a legal department does in a lot of ways.

‍

Tyler Finn
I think this will resonate with our listeners, yes.

‍

Joe Sullivan

You're the chief security officer, or the CISO, depending on whatever titles are used in those contexts, and the general counsel or chief legal officer nowadays. They're the two most senior people inside the company whose job is to think about risk holistically across the whole company. And you look at every other team in the company and you think of all the things that they could screw up and all the problems that they could cause. And the biggest challenge you have is not being that character from Peanuts who shows up with a dark cloud over him and just dripping, you know. You don't want to be the person that everybody runs away from because you're always doom and gloom. But yet, we're usually showing up to tell people, stop doing that, it's too risky. Or, you should have stopped doing that and you didn't, so now we're in trouble. Like those are the two messages I have to deliver too often and those are the two messages the general counsel has to deliver too often. So I often am surprised when those two teams
don't really align because of that shared role, so to speak. 

‍

Tyler Finn

Let's talk about that. I'm actually really interested in your view on it. How can legal teams and security work better together? And I'm curious about that in two parts, right? I mean, one, sort of how can GCs and CISOs work well together? But I also, and this has been my experience too, I mean, I used to lead privacy at a couple of companies. I think this relationship, for whatever reason, also seems to be a lot harder when it's, say, someone on the GCs team who has to work with, maybe not a real CISO, but a director of IT who spends 50% of their time on security. Yeah, how can folks work better together?

‍

Joe Sullivan

Yeah, I think that the number one thing that works is viewing that other team as an extension of your team. And at Facebook, for example, and at Uber and Cloudflare I had a very good relationship with the legal team because they because I understood their language and I also saw that my team had a better angle on the risks that the legal team cared about than the legal team did Because we were in the product design meetings. We were in the engineering scoping of what was going to be built. And so on day one they would tell the privacy lawyer, oh yeah, we totally understand these principles, we'll totally bake them into the code. And then we're actually reviewing the code and can see how it really works. And during the time that I was at Facebook, the biggest technical project that I worked on, and it was massive, was effectively bringing Facebook into compliance with GDPR. And this was, GDPR didn't come along until what, 2017, 18, but the national principle underlying laws that came out of the EU at Facebook, we started being told in 2010, 2011, as we were becoming a big visible company, you need to respect right to be forgotten. You need to be able to have a page where someone can go and download everything about them and all of those things. The hardest of those was re-engineering the entire back end of Facebook to be able to do, like if you said delete my account, how do I make sure that that's literally wiped databases within the 90 days that we promised in our privacy policy. The most nerve-wracking meeting of my career was meeting with a European Data Protection

Commissioner where I was the technical side with the lawyer and they said to us, we deleted an account 91 days ago and we're going to use your tools to do a query against your databases to see if there's any remnant of that account. 

‍

Tyler Finn

Wow. 

‍

Joe Sullivan

And they told us that at the end of the day and they're like at 8 a.m. tomorrow be here with you know terminal access to be able to so that we can do these queries. And I was like, I hope really hope tomorrow morning. It's gonna work. Yeah. 

‍

Tyler Finn 

Talk about a live demo. 

Joe Sullivan

But like that's but that was a good partnership with legal that we had been working on that project for years and we felt like we could technically show up. And Legal felt like they could let us technically show up because of the good communication. And so I often think that security and privacy are two sides of the same coin. Like, your job is to document what is and how it's being used. My job is to make sure that no one's taking it and I can't stop them from taking it if I don't know where it is and who has access to it

‍

Tyler Finn
One of the things that I noticed is you're you've always been a chief security officer Not a CISO and I'm wondering if that was intentional or not And if there's a lesson there for other folks who may be in similar roles

‍

Joe Sullivan
There is a so chief information security officer is a very defined role. It is a Overseeing it basically keep the company from getting hacked. At every company I've been at, I've had a broader role than that. In fact, when I was at Uber, I had a chief information security officer who reported to me.

‍

Tyler Finn 

Oh, interesting. 

‍

Joe Sullivan

But I also oversaw physical security, trust and safety, so I was responsible for rider and driver safety in the vehicle, executive protection for our leadership, fraud. I had six different organizations under me, I think, at Uber. And so, Chief Information Security Officer is usually a narrower role. Historically, it used to be Chief Security Officer would be assigned to the person who was overseeing physical security alone, in the old days. And now it's evolved to kind of indicate a broader role. Some companies are experimenting with different titles like Chief Trust Officer.

‍

Tyler Finn 

Right, I see that when it's combined with CLO sometimes or legal and some of these other roles coming together, yeah.  

‍

Joe Sullivan

And a lot of European companies are experimenting because you have the Data Protection Officer evolving to become the CISO as well. Like last year I was I spent the keynote of conferences in Norway Denmark and somewhere else in Europe last fall and

in each At each of those events I spent a lot of time with the security leaders from the community and a decent percentage of them Came out of the much more than in the United States came from the legal slash privacy side and are now overseeing technical Organizations as well. 

Tyler Finn
‍
That's really interesting. Okay, we're at the point in the podcast where I want to talk about the Uber case and your experience with that. And look, I mean, folks can read as much about this as they want online, but I've read some of it, not like all of it.

I mean, essentially, I think this is a debate about there was a hack that happened around Uber systems, a bug bounty was paid to those hackers, should this have been disclosed as a breach or was it disclosed in the right manner, and the FTC was investigating Uber, I don't know if there was a consent decree, I can't remember, but it was investigating Uber at the same time, so that was layered on top of this. I'm not really interested in like discussing all the specifics of the case, but I am curious about how you navigated it as an individual, and so I guess my first question to you is, you know, you were a federal prosecutor yourself. So you have some idea about how these things tend to go and how this works. Did you have a sort of thought or an idea that this was coming?

‍

Joe Sullivan

I never believed it was going to come because I'm still fighting the case. It's pending on appeal and I still believe I'm going to win and it's taken some turns that I think are going to help it get there from a legal perspective. But, yeah, I was talking about it with my attorney because I was terminated, like I said, I was let go in the fall of 2017, Thanksgiving week, in a very sudden, kind of rude way. And then I went to work at Cloudflare. I probably felt worse after I was terminated from Uber than I felt when I got indicted, just because it blindsided me so much. The company was taking the view that it was on it. I knew for at least a year before the indictment, well first it was a criminal complaint I was charged with and then they did an indictment later. I learned about the criminal complaint the same way I learned that I was getting fired from Uber, in the news.

‍

Tyler Finn

Press release? 

‍

Joe Sullivan

Yeah, the US Attorney's Office and the FBI did press conferences. They didn't tell me they were going to charge me on that day. I was sitting at my desk working for Cloudflare, working from home because it was August of 2020. So six months into the pandemic, I was sitting at my desk working. And my daughter, who was moving into college that week, she was with her mom, and they called me because... I was texting with my ex-wife about how we were going to tell her, literally, on the day she's moving into college. I learned about it. And my daughter's calls because her friend heard on NPR that I'd been arrested. So she started getting people reaching out to her, like, are you okay? Because the FBI put out a press release that was a lie. They said that they had arrested me when they actually hadn't. I've never been arrested. I don't know why they did that. After I asked them to retract it a few weeks later, and they did. But they put out that fake press release that everybody... So, everybody thought I was in jail. 

‍

Tyler Finn

Yeah.

‍

Joe Sullivan

And I had to call everybody and say, no, I'm not, I'm okay.

‍

Tyler Finn
That's quite a typo.

‍

Joe Sullivan

So it was, yeah, so that was a pretty stressful thing, but at that point I didn't believe it was gonna happen because I knew what it was like when I was a federal prosecutor. Like we had a million cases we could do and I only did cases where it just felt like, honestly, it felt like it was a slam dunk each case because you could pick from so many different levels of guilt, so to speak. And I knew what really happened in this case. And so I just didn't believe it. So I was shocked. And then I didn't go to trial for another two years, so I went back to work and worked for the next two years and put my trust in my lawyers. I will say that the other hard part was the first time I went into the federal courthouse in San Francisco a couple of months before the trial, and it just hit me on a whole other physical level. Like, here's an office in a courtroom that I've been into as a federal prosecutor and now sitting at the other table was pretty intense. I always think of myself as a person who stays calm under pressure, because in security you have what could be the worst situation ever come up like once every two months. Yes. And unfortunately, it usually isn't. But you have to treat it like it could be the worst thing ever. And so I'm used to that. But when it's about you, it's a much harder emotion. It felt like my brain couldn't think the way I normally can. Usually, I can look at a situation and be like, we need to do this, this, and this. I was just like, lawyers, please just do what... My brain just couldn't... Even sitting in trial, I just felt like I was a zombie version of myself and I wanted to be more active. I think after I lost the trial, I think of it as winning this. We won the sentencing because that just knocked me out of my stupor. I was like, I need to own this and did much more for the sentencing. 

‍

Tyler Finn

You worked for Cloudflare through this whole thing in a super high-pressure environment and job, a company that's growing super fast. How did you manage to do that? That's interesting to me. How do you manage to keep working and sort of show up every day? I guess you're very lucky that they sort of stood by you and they said, we're going to support you through this. I would think focusing on a lot of other stuff would be hard.

‍

Joe Sullivan

For the most part, it wasn't. I love doing security work. And I mean, that's why I'm back doing it after going through all this stuff and coming out the other side. I'm working with two public companies and a dozen private companies right now on their security. I'm in the weeds of the security of a bunch of important companies right now. I really like doing it. I like working with security engineers. I like working with executives who care about security. It was an escape from having to think about something that would paralyze me.

‍

Tyler Finn
I guess we talked about it a little bit around the work with the non-profit, the work with Ukraine. How did you start to build yourself back up after the sentencing? I mean, on the one hand, that turned out very well for you, right? You didn't go to jail, right?

‍

Joe Sullivan

Yeah. I mean, the sentencing was a very important day. It was crazy. It was like out of a movie. People who I'd worked with at eBay, PayPal, Facebook, Uber, and Cloudflare showed up, like members of my teams, and none of them had seen each other in long times. And also, even the Cloudflare team hadn't seen each other because of the pandemic. And so, it was this chaos in the hallway of the federal courthouse. The bailiff for Judge Oreck came out and yelled at everybody multiple times because they wouldn't be quiet in the hallway. He was doing this very important trial in another case, and it was like a zoo in his hallway. And then we went in, and I didn't even know this, but the sentencing hearing was broadcast on video on Zoom, which is almost like you'd never hear a federal courthouse doing a video for the public.

‍

Tyler Finn
You're still bringing tech to the judicial system.

‍

Joe Sullivan
Well, the Zoom crashed because so many people joined it. I had people on the other side of the planet joining in the middle of the night. And so Zoom crashed for a bit, and the sentencing hearing, thankfully at the end, the judge said it wasn't a cover-up. There have been a million articles written about my case, but the only thing that's never been quoted is the judge saying, well, the bug bounty agreement wasn't a cover-up. And he said that. And then he basically said, go live your life and sent me on my way. And I got sentenced to probation and community service. And unfortunately, I can't even remember how many hours of community service, but I did it in a few months because of the Ukraine stuff counted and I did some other stuff locally too. And so like doing community service was not a problem because I was already doing it. And then I wanted to just get back to work. And so I started my own consulting company and I didn't know if anybody would hire me. And but like for example recently a really well-known public company, they sent over the consulting agreement. They wanted me to work with their company on assessing their program. They were having a transition in leadership on the security and they wanted an independent assessment and they asked me to come in. And they sent me over their standard consulting agreement and one of the things was, you know, I certify that I've never been charged or convicted of a crime. And I'm like, and I thought, oh, I have to reply to them and they're gonna, like their GC's gonna make an issue of this and I'm not gonna get this consulting. They sent it back and it said, they'd revised it and it said, no cases or convictions, comma, other than in the Northern District of California in the case of, and it had my, they literally put the case number in and it was like, because they wanted me to do the work. And so I've been in the middle of that three-month project for them. And initially I thought, I'll speak at a couple of conferences, and I wanted to talk about the case a little bit. Not for me, but for other security leaders, because we're in this really fraught place where we don't have clear laws about how much a company should be doing on cybersecurity. A lot of people are afraid to do the job now. I get those calls all the time. I get a call every time there's a really bad security incident happening. The GCs don't want to hear this, but there are security leaders calling me and talking on the side like, I don't want to end up like you. How do I deal with this situation? I want to do right by my company, but I'm afraid. And so I want to talk about that. And so I went and spoke at a couple of conferences, and now I got to the point where I have to say, I have to charge you for me to come do this, because I should be doing my job, and now I'm getting paid to go speak at conferences. And it's because we're in this really difficult place around cybersecurity and expectations.

‍

Tyler Finn
Yeah, I mean, you preempted sort of one of my questions, which I think the first time I heard about your case was talking to a law firm partner and we were going to do a webinar somewhat focused on this for not so much security professionals, but privacy professionals thinking about is this going to have a sort of chilling effect or are people going to be willing to take on these jobs? Maybe someone's willing to be the AGC for privacy, but they're not going to be the chief privacy officer anymore, they're not going to be the CISO anymore because they don't want to be the one sort of left holding the bag.

‍

Joe Sullivan

For the longest time, I would get texts or messages or calls from people and they would say, Joe, can you help me get ready? I'm going to be interviewing for the CISO or CISO role. Now I get a different call. It's, hey, I've been asked to interview for it. Do I really want to do it? Like things have changed since my case and SolarWinds case and then there've been a bunch of other ones that aren't as well publicized, but there've been a lot of different regulators across the planet.

‍

Tyler Finn
The SolarWinds was SEC, right?

‍

Joe Sullivan

Yes, yeah, SEC, Civil Enforcement Action, still pending.

‍

Tyler Finn
What are your biggest learnings or lessons from such a difficult experience?

‍

Joe Sullivan 

Oh, that's a good question. I think that having a good support system during a tough time really matters. I was very fortunate in that I have a really strong family. It turned out that the cybersecurity community was there for me. Judge Orrick, at our sentencing hearing, he turned to my lawyers and said, don't ever do that again. And he was talking about the fact that they'd given him 186 letters. Because I had support, letters of support for me. And the truth is that that wasn't the complete set of letters. My lawyers had said to me, like over this, that like eight month period between losing the trial and my sentencing, people started sending me letters to give to the judge. And I, it was a silver lining in the whole thing, because I joke around that it was like my own Irish wake. All these people writing me letters, telling them stories about how I'd impacted their lives in a positive way. I'm in that really bad place, and all these letters keep coming in. Every day, it was like popcorn, another letter. By the end of that, I had hundreds of letters, and I turned to my lawyers and said, we've got to give these to the judge and they're like, that's insecurity, we call that a DDoS attack. It'll shut down the court system. And so let's just give them the 25 best letters. That was my lawyer's advice. And I said, no, he needs to see this because they're real stories. And so the deal I made with my lawyers is that I removed all the form letters, the ones that were like, I'm a CISO and I don't want you to sentence Joe to prison because I'm afraid for me. All of those needed to be tossed and then the ones that talk about real stuff added up to 186. So we submitted those and I really believe Judge Oreck read every single one of them just by the way he conducted himself throughout the case. I was very fortunate I had a judge who showed up prepared every single day.

‍

Tyler Finn
Wow. As we start to wrap up, I mean, it's such an amazing story, such a challenging experience for you to go through. Yeah, I've got some traditional closing questions for you, which are a lot more fun.

‍

Joe Sullivan 

OK. Good, I like fun. 

‍

Tyler Finn

A different sort of mood. OK, I came up with one different one for you, because I think this will be fun. What is it that keeps you up at night as a security professional?

‍

Joe Sullivan 

It's the risk you don't know about. It's my job to find all the risks and make sure the rest of the executive team at the company understands them. And it's a joint decision to accept a risk. Companies take risks all the time, especially startups. And they wouldn't exist if they weren't willing to take some risks. But they have to be intentional about the risk. And so I need to be able to know about those risks to either make it go away with a technical solution make it go away with an operational or policy solution or work with the leadership team on accepting it. 

‍

Tyler Finn

Sure. 

‍

Joe Sullivan

And the one thing I don't want to ever have to be is the person calling the CEO and saying I didn't tell you about this big gap in our security and it's been exposed.

‍

Tyler Finn
What's your favorite part of your day-to-day today?

‍

Joe Sullivan

I like the variety of companies that I get to work with. And I like security people in general. Security, I say security is a noble profession. And because I really believe it is. I think everybody in it is in it for the right reason. You don't go into cyber security to become a senior executive. There's always been a ceiling in security. Yeah, I'm one of the few security executives who's reported to CEOs Most don't and and in fact, they don't want to because they kind of want to be hidden So it's not a it's not a world of ambition It's a world of passion about technology and the cool thing about security is it's technology to protect people and so It's technology to protect people. And so, everybody in it cares about people. And they got to a point in their education and they're like, I like technology and I like doing a version of technology that's helping people. And you feel it every day when you work with security people. 

‍

Tyler Finn

This is kind of a fun one, I think. It's if you have a professional pet peeve. 

‍

Joe Sullivan

I think it's a really big challenge in my profession in security, and I think I saw it in legal as well, which is that we speak our own language and we tend to do it outside of our tribe. So, meaning, it's okay to talk. I used DDoS a minute ago. I shouldn't have done that. I should have said, a denial of service attack, which is like when you flood a system with a bunch of signals so much that it can't handle it. 

‍

Tyler Finn

Right. 

‍

Joe Sullivan

I don't like when we use our insider language and make other people feel uncomfortable. Because most people don't want to speak up and say, when you said that acronym, what do you mean? They don't want to betray their ignorance. And so that's my biggest pet peeve. 

‍

Tyler Finn

That's a great answer. And I think something that a lot of lawyers and just people, I mean people who are working in specific industries with their jargon should take to heart. That's great. Last couple questions for you. Is there a book that you'd recommend to our audience?

‍

Joe Sullivan

I recommend this book all the time and it cracks people up. Like I go back to that version of the security person who's the peanuts character.

‍

Tyler Finn
Yeah.

‍

Joe Sullivan

We need to be engaging with the other executives and the other teams before the problem happens or even becomes apparent. And so I always recommend go back and read How to Win Friends and Influence People because I actually think that we need to, we need to take one of those tactical things to work every day and try and implement it in our relationships outside of our team.

Tyler Finn
And it's great. Okay, last question for you. My traditional closing question. I know you haven't been a lawyer in a while, but if you can think back to when you know you were just getting started at DOJ or at the US Attorney's Office. Something that you know now that you wish that you've known back then. 

‍

Joe Sullivan

I have a serious answer and a funny answer. 

‍

Tyler Finn

Great. 

‍

Joe Sullivan

Which one do you want first? 

‍

Tyler Finn

Let's do the funny answer first. 

‍

Joe Sullivan

Okay, the funny answer first. I wish I didn't know this until I started managing lawyers. No lawyer ever thinks they did a bad job. Okay. So if you're managing five litigators, they will all tell you, I negotiated the best possible outcome in this case. No other lawyer could have got a better outcome than that. 

‍

Tyler Finn

They're advocates.

‍

Joe Sullivan 

And they're self-advocates. So I've managed lawyers and I've managed engineers. Engineers are the exact opposite. Code doesn't lie. You type a line and you hit enter, and if it doesn't work, it doesn't work. So they get humbled over and over again. And so managing people who think they've done the best job ever versus managing people who feel like they're always failing, it's completely different.

‍

Tyler Finn
That's interesting. I've never thought about it quite that way before.

‍

Joe Sullivan

I consider lawyers much more difficult to manage than engineers. It might be one of the reasons why I haven't gone back. 

‍

Tyler Finn

That's funny. 

‍

Joe Sullivan

That's a funny answer, I think growing up I didn't know about product lawyer as a concept. 

‍

Tyler Finn

Sure 

‍

Joe Sullivan

Maybe it didn't exist back then the way it does now But like I think product lawyers the coolest job because you're you're helping build stuff. And too much, you know too much of security and and legal work is you know coming in as the fire department afterwards. And so getting to be part of building something that's gonna go out into the world and be meaningful, that's really fun. And I really enjoyed the short time that I got to be a product lawyer, I think at eBay and then at Facebook, because you got to be in those decisions on brainstorming, innovation, and I always remember Mike Jacobson, who was the general counsel at eBay, he always got invited to meetings that I didn't think a lawyer needed to be invited to. I remember one time I said to Rob Chestnut, I said, why is Mike J. always invited to all the meetings? And it was because he gives good business advice. That goal of being a leader of the company, nobody wants a one-trick pony. And everyone wants someone who's gonna help them think about all of the issues at the company. And so I wish I knew about that, that as a lawyer, going and being a general counsel, being a product lawyer, being part of a company, is very different than going to the Department of Justice or going to a law firm. And so for whatever reason, I didn't have exposure to that kind of like in-house practice Especially in kind of an innovation company, so I wish I'd known about that.

‍

Tyler Finn

That's a great answer. And I think one of the themes of this podcast and something that we're trying to do with with all of our guests Joe, thank you so much for coming and Joining me for this episode of the abstract and for being sort of so open and candid with your story and your experience. This has really been a pleasure.

‍

Joe Sullivan

Awesome. Thanks for having me.

‍

Tyler Finn
And to all of our listeners, thanks so much for tuning in, and we hope to see you next time.

‍