Episode 3: You Better Be OK Dealing With Change with Joe Sullivan
Hello, and welcome to What the Hack is a CISO, anyway. This podcast will help you in your journey to be a better CISO. It's supported by Sysdig, the company on a mission to make every cloud deployment reliable and secure. My name is Rayna Stamboliyska. I'm an EU Digital Ambassador covering the intersection of tech security and policy, and the CEO at Our Strategy.
Rayna Stamboliyska:In this week's episode, I'm talking to Joe Sullivan, CEO at Ukraine France. Joe has a rich and impressive career From a US federal prosecutor, Joe went on to join eBay, then PayPal, and Facebook. From there, he moved to Uber, where things took an unexpected turn in 2016. We'll get back to this at a later point. And, following Uber, Joe worked at Cloudflare and has served as the CEO of Ukraine France since January 2023.
Rayna Stamboliyska:So you've run quite the gamut, if I may say so. How did you go from a public prosecutor with a focus on copyright infringement, if I'm correct, to a cybersecurity executive?
Joe Sullivan:Well, it was back in the 19 nineties. I was working for the United States Department of Justice. That was my first job out of school, and I had really enjoyed my time with computers and studying computers even though that was not my specialty. And so while I was in the US attorney's office, which is a federal prosecutor role in the United States, I was in what we call the white collar unit. Meaning, I I didn't typically deal with cases involving drugs and guns and bank robberies or any of those things.
Joe Sullivan:I dealt with everything from credit card fraud to tax related cases to cybercrime issues because cybercrime is generally landed in the white collar area in terms of the way it's characterized, at least. So I really enjoyed those cybercrime cases. And not too long after I became a federal prosecutor, I was asked, would you be interested in taking specialized training and learning more and doing more and more of these cases? And I said, yes, please. And so I think by 1998, I was really shifting my priorities to focus on cybercrime.
Joe Sullivan:And at the end of 1999, I had an opportunity to switch offices to move from one part of the United States to another to Silicon Valley. In 1999, that was just when Silicon Valley and what we call the dotcom boom were kind of booming. And so I moved into Silicon Valley and started doing full time prosecution of high-tech cases. As a result of that, I was spending a lot of time, working with companies because the thing about cybercrime cases and their investigation that's fundamentally different from law for law enforcement, from traditional law enforcement work, is that so much of the evidence, so much of the information, so much of the victim experience takes place not in the public, but on a platform that's owned by a private company. So the reality is that the vast majority of the Internet is in private hands, and so that requires a fundamentally different approach to law enforcement than anything that ever came before.
Joe Sullivan:As a result, those of us who were doing cybercrime investigations in cases back then spent a lot of our time going to the companies and saying, explain how this platform works. How does someone get an account? How do you vet them? How much information are you allowed to retain about them? Do you have their log history?
Joe Sullivan:So, for example, while I was a federal prosecutor, the 911 situation happened when the planes were hijacked. I remember that day because I was asked to work. Most of the federal government shut down, or people were told not to go to work that day because it looked like, you know, at least one US government building was under attack, basically, when the Pentagon got hit. And so I went to work because even on a physical world, you know, hijacking of airplane situation, there was a digital aspect. And now almost every case has a digital aspect.
Joe Sullivan:But back then, it was the prosecutors and FBI agents who were working on the 911 investigation, they realized, oh, those hijackers, they applied to flight school to learn how to fly a plane over the Internet. They booked their plane tickets over the Internet. They were using Internet email accounts to coordinate things. And in the government, there was this sense, oh, we bet like, we can't destroy the evidence by act you know, a lot of times in investigations, you know, we see, oh, they they smudge the fingerprints because they did a bad job at the crime scene. Well, the same thing happens in the digital world.
Joe Sullivan:You can destroy the evidence if you're not careful and thoughtful. And so we had to develop that expertise, and I got pulled into those cases. And and then once you get all that expertise, you you realize we need the private sector to be investing and building out and working with government in partnership. And that if you look at the history of the last 20 years, the evolution of technology platforms has led to this real tense relationship between the private sector, where the Internet is essentially housed, and the public sector, which has a responsibility for people. And so you see a lot more people move from the public sector to the private sector as those companies realize we don't know what's happening here.
Joe Sullivan:It's actually in our best interest to reduce the amount of bad things happening on our platform. So the companies will invest money and hire people out of the government who have expertise. And, essentially, that's what happened to me. EBay had a role because, you know, in 2002, eBay was the biggest, you know, sales platform on the Internet, and it was a whole new thing, and people were figuring it all all of that out. And so there was a very senior leader at eBay who I'd gotten to know through doing some fraud cases on that platform, and they asked me, would you help come run our investigations team?
Joe Sullivan:And I thought that would be that would be an interesting different direction for my career, at least for a bit. And so I I walked away from being a full time lawyer and jumped into doing investigations and managing people and and thinking about it from the perspective of those companies.
Rayna Stamboliyska:That's I mean, someday, if you if you decide to write a book, please sign me up as your first and, you know, fan, to send it to. I know, I mean, we can spend more than an hour on this because I also saw you've worked with Robert Mueller, who has come to prominence more recently on other investigations. For example, for the 2016 presidential campaign and the surrounding suspicions about interference from foreign powers and so on and so forth. So, yeah, please write a book, you know. And hearing you, I know that you have learned a lot from from your past experiences, past lives even.
Rayna Stamboliyska:So I also believe that learning from past messes and successes is a superpower. So what's the one thing that you learned, perhaps the hard way, during those years?
Joe Sullivan:Well, I think that my conclusion today is that we still haven't figured out the right dynamic between the public and private sector for purposes of keep keeping the public safe on the Internet. I think the model is still not right. It's still broken. We still have the tension between the public and the private sector. We still have very unsettled expectations and a lack of certainty from the public around what of our information is being stored and retained in the servers of these companies.
Joe Sullivan:Is it in our best interest or the company's best interest? Is it in the you know, some governments want to retain all that information so that because it might be in their best interest. And so the tension between privacy, security, access to data, that's playing out publicly and being debated. Not as much, though, is the underlying, okay, sometimes we do need to save data for purposes of security. And then what is the dynamic between the public and private sector?
Joe Sullivan:How transparent should the private sector be about what's happening on their platforms? I don't I mean, the reality is no company is fully transparent about all of the bad things that happened to their customers because, a, sometimes the customers don't want it shared. B, oftentimes the company is worried about their impact to their brand. C, the lawyers will tell you not to share it. And, d, other people involved don't want any impact on their stock price related to security.
Joe Sullivan:That's fundamentally broken model because too many people are still getting hurt online, and we don't have clarity of expectations. And it's in these gray areas that the problems fester, and the bad people are allowed to go in and find vulnerabilities and exploit. And so we have to keep working, and we have to try and continue pushing for better dialogue between the public and private sector and clearer expectations. I think that's fundamentally I I don't think we can stop the evolution. We need to keep pushing it, and we need to push it in the direction of of more safety, but not necessarily more retention of data.
Joe Sullivan:And that's that's the tension.
Rayna Stamboliyska:Yeah. I I'm glad you broke this up because I have a lot of questions around this, you know, around people being the perimeter in cybersecurity, ultimately. I mean, we can talk about whatever career moves, about tools, about you name it. But at the end of the day, we are doing this because we want to protect people, and you and I, we're someone else's end user, finally. Right?
Rayna Stamboliyska:So thank you for for bringing this, so eloquently. And so let's talk about us, you know, the ones who do, the ones who endure, the ones who decide, the ones who execute. Today, you are a CEO. Knowing what you know today about the challenges that a CEO has, vis a vis the board, vis a vis investors. You mentioned them a few times earlier.
Rayna Stamboliyska:I guess, also, your vision about engaging the board has evolved. You know? So what is the one thing you want CISOs to know about engaging the CEO or the board?
Joe Sullivan:I think that the security executive community cares as much as the government about protecting people online, but I'm not sure that the board and the CEO get it yet. Most companies do not invest enough in cybersecurity.
Rayna Stamboliyska:That's very true.
Joe Sullivan:If you step back and you look at the economic models of software companies that have come along in the last 25 years, there's an ex expectation that they will generate margins that are much bigger than historically typical margins. You know, if you're an auto manufacturer, your margins are like this, and you're always looking at efficiency and you but you have a have a you have to have a commitment to safety. You have to have seat belts in the car. You can't cut those things. You can't cut the airbags.
Joe Sullivan:You can't cut the crash resistance. In the software world, we haven't forced those safety mechanisms in into the margin conversation. And so investors will invest in a software company thinking, oh, if it's a successful company, we'll make 40% margins. That's never happened in history because the math doesn't work out. And the math isn't working out today.
Joe Sullivan:It's just that the cost of the product is being borne by people different than the people who build it.
Rayna Stamboliyska:Yeah. Thank you for this. So let's let's go into what one could call, like, a limit situation, you know, when you were pushing towards the the boundaries or the frontier situation, if you like. I mentioned in the intro to this episode that during your time with Uber, things took an unexpected turn. I know that you've been in a dark place for several months, you know, the time things panned out.
Rayna Stamboliyska:And I also know that you care for the community and that you want to share with colleagues, with, you know, with the ecosystem more broadly. So as a reminder, in the fall of 2016, outsiders accessed Uber's AWS Cloud instance and accessed data that they weren't supposed to have access to. So the government suggested that Uber tried to cover this up. At that time, you were the CSO, so the chief security officer of Uber, and you were brought to court following government's accusation. This is something that I guess you had been asked about a lot of times.
Rayna Stamboliyska:What I did in previous episodes, like, for example, in our episode with Greg Crowley from Essentire, is I brought up how scary it is to work knowing that you can get sued for doing your job. You know? This is not something we have in Europe. So this litigious approach to things. And so and great acknowledge that, you know, I'm I'm quoting him here.
Rayna Stamboliyska:We are working our butts off to protect everyone, and that's challenging enough, end of quote. And he mentioned your case as a stark reminder of how stressful it is to have possible litigation hanging over your head. And he went on to suggest responsibilities be further clarified and shared across c levels through, what he named a CISO office, where those roles participate. So what's your take on that? What's your take on how we gear responsibility?
Rayna Stamboliyska:Should we mandate more responsibility towards the organizations, towards specific organs within the organizations, or should we really gear it towards the individual execs who are in charge since they have a c, you know, in the title of sorts?
Joe Sullivan:A lot of security leaders have c in the title, but they don't have c in reality. They're not decision makers in the in the running of their company, and it's because the role is in a state of evolution. And my biggest worry is that those of us who are in the profession, we have a tendency to talk to each other and not to the rest of the c suite about how this role should evolve. We need to have more conversations at the right places about the evolution of the role. If the conversation only comes up when a security executive is talking in the context inside their company, any executive who stands up and says, I should have more power.
Joe Sullivan:Like, that's not teamwork. That's not leadership. That's not how people, like, actually get more responsibility and power. They have to like, I think there's this, you know, often a saying in the corporate world, like, you have to do the job before you get the title. And we're not really quite doing the full job because a lot of security leaders feel if I step in and start doing the job, I take on the risk.
Joe Sullivan:Why should I take on the risk? I'm not getting paid to take on the risk. And so it's like this catch 22, which goes like, which which is gonna happen first? Well, the government's been on the sidelines watching and saying, you know what? We're gonna treat you like an executive.
Joe Sullivan:We're gonna hold you accountable. Now it's it's not uncommon in the United States for most senior executives to have personal liability risk. If we look in the finance space, there was a you know, there were some very big abusive situations that I don't know all the details on. We often talked about one called Enron that led to a fundamental change in the laws for companies about disclosures around their financial state. And so in the United States, the CFO, the head of finance, and the CEO have to sign off on the financial documents and their accuracy under penalty of perjury every cycle.
Joe Sullivan:That shifted the responsibility. Like, the CFOs now have criminal responsibility related to all of the financial controls of the company. Now if you looked at the world of CFOs 25 years ago before that law came along, they didn't have the same level of power, visibility, oversight. They didn't have the budget to bring in independent auditors every cycle. Now because CFOs have the formal obligation and they have to sign, Plus, the CEO also has the formal obligation and has to sign.
Joe Sullivan:The CEO and the CFO are highly motivated to ensure that those things are correct. We don't have anything like that yet in cybersecurity. So the regulators are focusing on the security executive. But what I hope and what I think will happen is the more of these cases they do and the more the governments of the world dig in, they will see, wow. Why are we trying like, we're not going to the reason why government moved to enforcement against individuals was be in the finance context was because they felt like, oh, if they went after that company, the CFO and the CEO just left and started another company.
Joe Sullivan:They had no personal there's no personal motivation to do a better job. So they wanted to bring in that personal motivation through law, by, you know, by risk. I think that in the security context, they're going to realize if we want to change behavior of corporations around security investments, it's gotta be at a higher we have to put the pressure on at a higher level than than the head of security because there's no question. Every single head of security out there is working their, like you said, working their butt off to do the best they can. They they they took a really hard job that a lot of people don't want because they're passionate about protecting people, because they're passionate about the end user.
Joe Sullivan:And they didn't take it because it was the highest paying technology job because it's not. So they're taking on all this risk willingly because they care about people. And I think governments are gonna see that more and more and say we need to change we need to help those security leaders get more budget, get to a their company to a better place. And so I hope that we're just kind of, like, at a stressful point that becomes less stressful for those security leaders as more accountability moves up above them.
Rayna Stamboliyska:Yeah. Let's see how this goes because in Europe, we are expecting the entry into force of the NIS 2 directive in October this year. And there is a point about governance, about the directorship at large, if you like. The management, top management recognizing the solitude of, you know, of cybersecurity people who don't even have titles. They're like security engineer, you know, and you have 2 2 people in the basement trying to do their best, and their salary is the budget.
Rayna Stamboliyska:So that's the the reality is really dire in in Europe, much more I I gather than, in the US. Let's see how this will pound because from what I'm seeing about how the member states are transposing this specific particular topic, they are not in a position to understand the spirit of it. Right? So let's see. It's too early now, but let's see in 2, 3 years' time when the revision of the directive will happen, how this will have played out in the more, let's say, in the midterm.
Rayna Stamboliyska:I mentioned in the earlier so since I'm mentioning Europe again, I cannot not say that, you know, we have a profoundly different approach to, of course, litigation, but also to compliance and and to risk. And, yeah, you may have noticed that we are big on regulation, and that we're quite proud of it. So the n NIS 2 directive entering into force this October, we will be required to report cyber incidents and vulnerabilities under strict timelines. This has been, by the way, quite a beef during the elaboration of the framework. So let's, you know, let's see again how member states transpose this.
Rayna Stamboliyska:But I know that this is practical in the way the criteria are set about that reporting, about that notification. In the US, I know that you have the SEC cyber disclosure rules, and they take up on a different approach. They rely on materiality. And I've struggled as a cybersecurity professional to understand what materiality means. And from press coverage and others, I'm seeing that materiality is, is in the eye of the beholder, so to speak.
Rayna Stamboliyska:So what's your take on that? Like, should we have mandatory notifications, you know, depending on materiality? Should we have nonmandatory on the industry based? Like, how should we do with disclosing incidents, disclosing exploitable vulnerabilities? Could this be a way of, you know, getting some oil in the cogs of that complex and clumsy machine that's the government interacting not so well with with the private sector and vice versa?
Joe Sullivan:So first of all, I would say the more we can encourage organizations to be transparent, the faster we will get to a better place. The challenge is the details. Like you said, Europe and the United States have taken very different approaches, and even between member states, they're taking different approaches. But I think that's okay. Let's go a level deeper.
Joe Sullivan:It feels like the companies are very opposed to regulation, and the governments are experimenting with different variations of regulation to see what works. I would submit that a lot of security people are not as against regulation as their companies are. In fact, I think it's the opposite. Security leaders would love more objectivity. They would love clear rules.
Joe Sullivan:If you go by type of company, they have different types of regulations. So, for example, in the United States, if you're in financial services, the amount you spend on cybersecurity defenses is much higher because they have regulators looking over their shoulder all the time and lots of different regulators. And they also have financial accountability when they lose money. So financial services invests a lot more than some other categories such as, say, health care where there doesn't seem to be the same level of accountability or oversight by regulators even if there are some regulation. So the bottom line is regulation drives better behavior from corporations when it comes to cybersecurity.
Joe Sullivan:So I, for 1, am am supportive. I'm one of those Americans who thought that GDPR was a good idea, and then I was very happy to see that a lot of the US companies, because they had to comply with GDPR for the EU. They found it was easier to just comply for the whole world than to have, you know, 2 different platforms, one serving the EU. So I thought that GDPR drove a lot of good behavior. As somebody who was overseeing cybersecurity at US corporations in the pre and post GDPR world.
Joe Sullivan:Like, the fact that GDPR existed meant that I got a lot more resources, and I was able to push other teams across the company to help me much more. And so I value those types of regulations. I don't like that we have to have these deep conversations inside the company about, is it material or not? Should we do a disclosure or not? The more objective we can get those standards to be, the less risk there is inside for the person who's got that security executive title.
Joe Sullivan:So do I think that what the SEC did with their first version of a materiality regulation is perfect? Absolutely not. But we shouldn't accept that it's the last version. We it should be an iterative dialogue, and I think that the SEC will continue to learn as they get these disclosures from companies. And there are more disclosures from companies than there were before that regulation, so it's a step in the right direction in that regard.
Joe Sullivan:Is it causing a lot of churn and confusion inside companies because it is such a vague definition? I think the answer is yes. The good news is most security executives are not the person responsible for making that materiality decision. That is a complicated decision that has to be made by a cross functional team that definitely has to involve people with legal expertise that no security executive has, whether they worked in the law in the past or not. You just can't keep up with the law and if you're not doing it all day long.
Rayna Stamboliyska:No. That's very true. I can completely relate to what you said about GDPR coming along. You know? I mean, we saw I was in a deputisizer position at that time, and we saw GDPR giving us our first budget.
Rayna Stamboliyska:Exactly. That didn't exist before. Your budget was your salary. You know, like, no. That's not how things work.
Rayna Stamboliyska:Hello? But yeah. So we are the underdogs here because I agree with you that, yes, regulation helps people better understand the rules of the game, the rules of engagement even. So the clearer, the better. I think for now, let's, you know, let's categorize this in the unpopular opinion bucket.
Rayna Stamboliyska:And since we started to talk about, you know, the future, about how we build better, I wanted to get you to talk about anticipating about how, the outlook, you know, more of a strategic outlook, if if you want. And in our episode with Alexandra Goroy from Oxfam, she insisted on cybersecurity pros needing to be comfortable with the uncomfortable. And I like this way of framing stuff because every time we try to imagine and prevent or prepare for, say, future unpleasantness, this is super uncomfortable. Like, you know, every time I'm telling you that you're in the middle of watching your favorite sitcom, and, oh, what do you do if now there is a fire? Your immediate reaction is, oh, stop bugging me.
Rayna Stamboliyska:You know? And so that's our job. That's what we do on an on an everyday basis. So what is the risk that you think needs more attention? Or is there a black swan event that you could imagine would affect CISOs and that they should consider.
Rayna Stamboliyska:So black swan event, just as a reminder, is a very low probability event with a huge negative impact. So it's very difficult to anticipate, but when it happens, you recognize it, and you regret of not having been more imaginative, before. So what would be a risk that needs more attention or such a black swan event for you in the coming years?
Joe Sullivan:Isn't this the ultimate challenge of the role of the security executive? I find that one of the things that's fundamentally broken for us as a set of executives is our ability to articulate risk well. You talk about a black swan event. The the cost from that event is massive, but the amount of investment you need to make to ensure that the event never happens may also be massive. And so this is where we often fail as security leaders.
Joe Sullivan:We go into finance and we say, I need my budget to double for next year because cybersecurity risk is so bad. You know, we're there's nation states, there's ransomware, there's this and the finance purpose and says, okay. If the most we could lose is a $100, can I give you $10 to make that $100 risk go away? That's the way finance is used to thinking. Right?
Joe Sullivan:The business person says, if you give me €10, I will deliver €100 in revenue. And then the finance person says, okay. Here's your €10, and let's see what happens. Did you deliver me a €100 in revenue? Next year, you don't get the same amount of money if you didn't deliver.
Joe Sullivan:When I've run fraud risk teams, it works the same way. They say, if can you get rid of a €100 of credit card fraud hitting us that we have to do chargebacks for? And if I say I need €20 to make that €100 of loss go away, they'll give me the €20 every time because it it makes business sense. Security leaders, we have not figured out how to articulate, okay, if you give me enough money for an EDR solution, it'll reduce my risk by x in financial terms. If you give me an endpoint solution, plus you give me a cloud security posture management solution, it'll reduce my risk by x plus y.
Joe Sullivan:It we're we're not very good at that, and we don't have a structured consistent way, so if someone's on the board of 5 companies, they will say to me, Joe, I heard 5 different risk quantification approaches. And so even if the board comes at you with a hypothetical black swan situation, the answer that the board is gonna get is gonna vary way too much. So we have to get more structured and consistent. There was great hope that the emergence of cyber insurance was gonna drive more consistency, but it hasn't yet. So we're still we're still struggling in this area.
Rayna Stamboliyska:Oh, yeah. And it's even become worse from my experience, at least. I mean, it's the fact that you have a cyber insurance is now even seen as the equivalent of I have protection.
Joe Sullivan:Oh.
Rayna Stamboliyska:It's no, you don't. You're just transferring part of the risk. But that's it. Someone will contain bits and pieces. But you'll still have to pick up the pieces from the ground and, you know, put glue there and, you know, hope for the best.
Rayna Stamboliyska:And then you also have some specific assessment criteria for cyber insurance, which are completely out of luck or whatever. I mean, they they're completely out of scope and totally, like, I mean, they have made sense in the nineties or early 2000. But we're, you know, we're good in the 21st century. They should join us at some point. But, okay, I've I I don't want to rumble here because, again, that could be another, at least, 4 hour discussion.
Rayna Stamboliyska:How do you encourage yourself, the people around you, colleagues, the community, to think ahead around security, around the role, around investments in cyber? How do you how do we encourage people to do that?
Joe Sullivan:Well, I think it goes back to something you said you quoted a prior guest who who wants security people who embrace the reality of change. And you mentioned how, like, in general, people don't like change. When you were when you were saying that, it made me think about back when I worked at Facebook, The product people were pushing out changes to how Facebook worked, like, all the time because they you know, their job was to sit there and think, how could we make Facebook better for people? And every time they pushed out a change, someone would create a Facebook group called don't change Facebook, you know, and 100 and thousands of people would join and say, we like the old Facebook better. And so it it, like, it got to a point where it was a joke, like, should we create the group ourselves so that people could go channel their voices to tell us not to change?
Joe Sullivan:And so the you're right. It's like human nature that we don't like change. If something works a certain way, we like that it works that way. You know? I remember recently my dad switched cars, and just the the way that the key worked drove him crazy because it changed fundamentally.
Joe Sullivan:Like, you don't plug the key in anymore. Then, like, how's it a key if you don't plug it in? And so we have we we're constantly, as humans, dealing with change that makes us uncomfortable. Well, cybersecurity people can't be like that because the world around us is changing constantly. A, the technology is evolving really quickly.
Joe Sullivan:You know, we we haven't talked about, you know, quantum computing or artificial intelligence, you know, but we were talking about cloud computing, which some people are still trying to get their head around, and you the use of SaaS apps and how that impacts all of our risk models and threats. So the technology is constantly changing. It never stays the same. That's the first challenge we have to deal with in terms of accepting change. The second is the threats.
Joe Sullivan:I do a lot of security consulting projects on the side because I understand that if I stopped being a practitioner, I think I would be left behind in a year, you know, not just from the technology, but from the threat standpoint. Like, I'm working on a project right now with a company that they're dealing with where they hired someone who, it appears, was is based in North Korea. And it was just somebody who wanted, I guess, to get a job, but they couldn't because of sanctions. But it turns out I had no idea until I started working this case and we and we engaged with the FBI, and then we discovered the FBI has a whole task force because lots of companies are dealing with this exact threat. Well, before the pandemic, the idea of companies onboarding remote workers who've never physically interacted with each other in person, that risk didn't exist.
Joe Sullivan:But if you stopped practicing cybersecurity 3 years ago, you wouldn't know about these patterns, and you wouldn't know how to help if if if you found it. And so you have to build new risk models. You have to build new tools to deal with new threats. And so as a cybersecurity person, you better be okay dealing with change.
Rayna Stamboliyska:Yeah. I'm into that, and I'm coming from someone whose company's light motive is mastering uncertainty. You know, you I'm with you here a 100%. So in one word, only 1, what is the biggest hope, or if you prefer, the biggest opportunity for the Saizo role for the next 7 to 10 years?
Joe Sullivan:Optimism?
Rayna Stamboliyska:Optimism. I like it.
Joe Sullivan:I I think that the role is evolving really quickly. I believe that it's going to become a higher level role in organizations. And I get to spend a lot of time with the generation of up and coming leaders who are more comfortable with that potential ceiling for the role, with the risks. And I think there are a lot of really bright, young, ambitious people in this profession who are gonna help take it to a level higher than than my generation of leaders.
Rayna Stamboliyska:Thank you. In one sentence, name the easiest thing about being a cybersecurity leader in a large for profit organization.
Joe Sullivan:For me, the best thing about being a security leader in a growing organization has been the team that I get to work with. In cybersecurity, we learn so much from each other, and we need to build from each other. And just because you're the person in charge doesn't mean you know all the answers.
Rayna Stamboliyska:Thank you. What is the one thing you wish you'd have known when you started your career in cybersecurity?
Joe Sullivan:I wish when I started my career in cybersecurity, I knew how to talk to executives.
Rayna Stamboliyska:Don't we all? My last question is, you have one cybersecurity wish that can come true. Right now, I have a magic wand. What would that be?
Joe Sullivan:If I could wave a magic wand and have one thing happen, it would be that accountability and understanding of the importance of the role and the need for investment settled into the heads of our CEOs.
Rayna Stamboliyska:Or let's let's drill it in. It's better. But yeah. Thank you, Joe.
Joe Sullivan:Thank you, Reina, for having me on. It's been a really invigorating conversation for me. I I think we share a lot of the same perspectives about change that needs to happen in this profession, and it's not gonna get there unless we all talk about it and encourage each other and push each other forward. As a community, we'll do better if we help each other, and I'm grateful that we were able to kinda hit these themes together. So thanks for having me on.
Rayna Stamboliyska:Thank you. That was Joe Sullivan sharing his experience and insight, and, I'd like to thank him for his time and for the highlights that we, security leaders, need to embrace the reality of change, including, or even first and foremost, the change that our own roles undergo. That's all for this episode of What the Hack is Society's supported by Sysdig. I'm Rina Stamboliska, and I'll see you next time.
