Apr 16, 2024 - Technology

Exclusive: Former Uber cyber boss is now advising execs on avoiding his mistakes

Photo illustration of Joe Sullivan surrounded by abstract shapes.

Photo illustration: Gabriella Turrisi/Axios; Photo: Courtesy of Joe Sullivan

Ex-Uber security chief Joe Sullivan is taking on a new role to support his mission of helping executives avoid the criminal charges he's spent the past few years battling.

Why it matters: Security executives face growing liability and litigation risks as regulators start holding companies accountable for the data breaches and other cyberattacks they face.

Driving the news: Sullivan is joining cyber risk management company BreachRx as a senior adviser, he first told Axios.

  • BreachRx, which closed a $6.5 million seed round Tuesday, provides customers with a platform that automates how they respond to a cyberattack, including how they need to communicate with regulators.

Catch up quick: Nearly a year ago, a federal judge sentenced Sullivan to three years' probation and 200 hours of community service for charges related to covering up a 2016 cyberattack and obstructing a federal investigation.

  • The case marked what's believed to be the first time a U.S. security executive has faced criminal charges for mishandling a data breach.

Between the lines: Since that conviction, Sullivan said, he's been reflecting and hitting the road to help security chiefs and CEOs better respond to incidents.

  • Sullivan started last summer with presentations at the Black Hat and DEF CON cybersecurity conferences, and he said he's now the first call many chief information security officers make when they get "in hot water."
  • Joining BreachRx is a natural extension of his work, he said, since the company automates the process of documenting organizations' incident responses in the first hours and days.

What they're saying: "We're in a broken place," Sullivan said. "The people who are the most intelligent about how to navigate us out of this are handcuffed by fear because they think the regulators are going to come after them."

The big picture: The way Sullivan sees it, security chiefs have become accustomed to a corporate reality that doesn't provide them with the funds or employees needed to properly secure their systems.

  • "We have this world where every CISO has been, for the last decade, doing the best they can with the resources they have but always knowing that it's not enough," Sullivan said.
  • The growing regulatory pressure on all executives, not just security chiefs, to clean up poor internal practices could force companies to invest more in security and help CISOs in the long run, he argued.

Yes, but: Not all regulatory actions are created equal, Sullivan said.

  • On one hand, Sullivan said, the Securities and Exchange Commission's new cyber incident reporting rules that many companies have spoken out against are a "step in the right direction."
  • But on the other, the SEC's enforcement actions — such as the charges against SolarWinds and its top security executive — have prompted other CISOs to run from responsibilities "out of fear."
  • "I don't think the SEC has gone rogue," he said. "This is an inevitable change that's happening, and until the [cybersecurity] problems start to diminish to a manageable level, [government's] expectations are going to rise."

Zoom out: Ever since Sullivan's charges, the cybersecurity community has been trying to figure out how much of a precedent his case actually set.

  • During Sullivan's sentencing hearing, the judge received 186 letters from industry peers, friends and family — some of whom expressed concern that they would be under new scrutiny during an already stressful time.
  • But only a year out, it's not yet clear whether the case has prompted investigators to dig deeper into companies' responses to incidents.
Go deeper