Session Abstract: A case study into where Joe Sullivan went wrong. Over a 20-year career, he was a Federal computer crimes Prosecutor, corporate Associate General Counsel, and CSO/CISO for Facebook, Uber, and Cloudflare before a spectacular fall ending in a criminal conviction. His former DOJ colleagues convicted him after back-to-back hacks of Uber in 2014 and 2016. But ultimately, he was not convicted for Uber's security lapses but for his ethical ones. Understand the facts that led to a renowned figure becoming a felon, how to avoid becoming one, and discuss organizational safeguards to keep leaders informed.

Summary: A case study of a CISO's federal criminal conviction. Fall guy or at-fault? Discuss how a renowned cybersecurity leader became a felon, how to avoid his fate, and what an organization can do to prevent security silos.

Additional Information: I plan to split the presentation into three parts. First is a case overview based on court filings pulled from PACER, using a timeline I created spanning 2014 - 2022 to organize the facts. Second, discuss the charges that Joe Sullivan was convicted or, what the DOJ tried to convict him of, and other laws and regulations that impose individual obligations on CISOs. Finally, a lessons learned section comparing the perception in the security community that Joe Sullivan was a scapegoat to what he was convicted of (lying), how he could have handled the investigation, and what Uber could have put in place to prevent an individual from being able to hide and manipulate the findings of internal investigations from corporate leadership and outside counsel.