Joe Sullivan, the former Chief Security Officer (CSO) of Uber, recently spoke with TechCrunch in London, offering insights into his high-profile legal case related to a 2016 data breach at the ride-sharing company. Sullivan, who served as a federal prosecutor specializing in computer hacking and intellectual property issues before joining Uber, found himself on the other side of the justice system when a San Francisco jury found him guilty of obstructing an official proceeding and misprision of a felony.
The case centered around Uber’s decision not to report the 2016 data breach, where hackers threatened to expose the data of 50 million Uber customers and drivers. Sullivan, fired from Uber in 2017, was sentenced to three years probation in May 2023. The case raised concerns among fellow CSOs and CISOs, prompting many to voice fears of legal penalties for simply doing their jobs.
Sullivan, who now serves as CEO of a nonprofit aiding the people of Ukraine, shared that he receives calls every week from security professionals questioning whether to stay in the industry and take on higher-ranking roles. He emphasizes the importance of not running away from such roles but rather embracing them, and he believes it is crucial for the cybersecurity community to advocate for change.
The former Uber CSO argues that the industry needs public-private sector collaboration and robust regulation to address cybersecurity challenges effectively. Sullivan commended the U.S. Securities and Exchange Commission’s upcoming data breach disclosure rules, set to take effect on December 15, as a step in the right direction. He encourages CSOs and CISOs to participate in shaping future regulations, emphasizing the need for leaders who can effectively advocate for the cybersecurity profession.
Sullivan’s case has left a lasting impact on the cybersecurity community, sparking conversations about the challenges faced by security professionals and the importance of legal protection for those in leadership roles. As the industry navigates increasing threats and regulatory scrutiny, Sullivan advocates for a collective effort to foster change and enhance the cybersecurity landscape.