In this episode of 'Never Too Early', host Lauren Ipsen speaks with Joe Sullivan, an esteemed internet security expert, about key considerations for founders hiring their first Chief Information Security Officer (CISO). Joe shares insights from his extensive career running security for Uber, Facebook, and Cloudflare. The discussion covers when to outsource vs. hire full-time, the importance of proactivity in security, and the qualities that separate good CISOs from great ones. Joe also addresses common misconceptions and the evolving landscape of cybersecurity, especially in light of recent regulatory changes and expectations.
00:00 Introduction to Never Too Early
00:20 Meet Joe Sullivan: Internet Security Expert
00:56 Joe's Personal Interests: Snowboarding at 53
02:54 Question 1: When is the right time to bring in a CISO? Joe talks about how to index on the right kind of hire for your security organization.
07:18 Question 2: How do I know if I need a CISO or someone more in the weeds like a security analyst? Joe and Lauren also talk about when it makes sense to outsource your security advice versus when it is important to have someone on the job full time.
10:34 Question 3: What are some backgrounds that make for a good CISO? Lauren and Joe talk about the evolution of this role over the years and the different types of individuals that are best suited to play the part.
12:22 Question 4: What are the most challenging things about being a CISO? Lauren also asks about where trust and safety come into the equation.
14:08 Question 5: What separates a good CISO from a great CISO? Joe talks about early learnings in his career and ways to not always feel like the person bringing bad news to the team.
19:14 Conclusion and Final Thoughts
Want more of Never Too Early? Find us on Tiktok, @nevertooearly1 and subscribe to us wherever you get your podcasts.
Transcript
LAUREN IPSEN: Welcome to Never Too Early, a YouTube series focused on unconventional talent insights for founders. I'm Lauren Ipsen, Talent Partner at Decibel. In each episode, we'll cover the top five commonly asked questions that we get from founders building their organizations for the very first time. It's never too early to learn from the best.
I'm super excited to introduce my guest today, Joe Sullivan. Joe is an internet security expert. Having served as federal prosecutor with the United States Department of Justice, and then working as a CISO at Facebook, Uber, and CloudFlare, Joe Sullivan is the most qualified to answer the top five commonly asked questions that we get from founders hiring a CISO for the very first time. It's never too early to learn from the best.
All right. Joe, welcome to the show.
JOE SULLIVAN: Hey. Thanks for having me on.
LAUREN IPSEN: Absolutely. My pleasure. I'm super excited to have you. First and foremost, I just gave a high level of your incredibly impressive professional background. Tell us something about you on a personal front that might be fun for listeners to know.
JOE SULLIVAN: Oh, sure. I think I'm a very competitive person, and I like new challenges. I taught myself to snowboard at age 53. And two years in, I'm now doing a black diamonds on a snowboard. And I knew how to ski before, but snowboarding was totally new, and I'd never been a skateboarder or anything like that.
LAUREN IPSEN: I'm a skier. How difficult was it to learn how to snowboard when you've already got one thing down, and then you – you're trying to tackle something completely new?
JOE SULLIVAN: It was a challenge because you just get so used to doing things one way when you're on skis and on a snowboard. Your line of vision is completely different because you're mostly sideways instead of facing down the mountain. And it feels like, half the time, you can't see half the mountain. So that was one challenge.
And then the second part is just that the snowboard is much less forgiving. If you make a mistake, you just kind of get launched toward the ground. It's not even that you fall. It's like you are thrown at the ground. And so the hardest part is getting through the first week.
LAUREN IPSEN: Okay. And then I've heard that once you get decent at snowboarding, going from decent to really good is a little bit easier than maybe on skis. Is that a fad, or is that, does that feel accurate?
JOE SULLIVAN: I think that's true. The hardest part, even being decent on a snowboard, is that you just don't go as fast as the people on skis. And so when you get – when you develop your skills as a skier, you kind of measure yourself against the other skiers. As a snowboarder, you need to measure yourself against the other snowboarders.
LAUREN IPSEN: Well, let's jump into security stuff, if you're open to it. So the first question that I get from founders is, when do I bring in a CISO? When's the right time?
JOE SULLIVAN: Well, what I recommend to founders is that they not bring in someone with a CISO title too early. You know, startups, generally speaking, you don't want to start handing out the grand titles. And I think that's particularly the case in security, because the type of person you need as your first security hire probably hasn't already been someone with that title.
It might be someone who is one step away from that, who can grow with the role, because this – the CEO needs someone who can be hands on, on the security side. So it's actually a really hard hire, that first security hire, because you get tempted by all the CISO resumes, but you really – when you hire the – when you hire someone who's been a CISO, the first thing they're going to want to do is bring in the people who work for them, and that's not typically the way the founder’s thinking about scaling security.
I think the most important thing to do is bring in someone who can be hands-on, but who has enough experience that they can help explain the risks and communicate well with kind of the other functions inside the organization.
LAUREN IPSEN: Yeah. Makes good sense. So, you kind of touched on this a little bit, but then how do I know if I need a CISO or someone that is approaching that level? Or if I maybe just need a great security director, per se, or a cyber analyst, or someone that's a lot closer to the ground?
JOE SULLIVAN: This question really depends on what type of company you're building and what type of crown jewels you have. In security, we like to think about what are we trying to protect and how dangerous is it? So if you're a company that is starting out collecting a bunch of user data, personal information of customers, that is very sensitive and is going to trigger a lot of scrutiny of your organization. So you need to have somebody thinking about security almost from day one.
And it doesn't mean you have to hire a security person day one, but if you have someone – say, a CTO who has previously managed a security function – maybe they can kind of lead the way for a little while. Maybe – there are these people nowadays who have this title called virtual CISO, who kind of do the job for a few different companies at the same time and, you know, just give advice. Those are challenging because they don't actually roll up their sleeves inside your organization, necessarily.
LAUREN IPSEN: More of an advisor or kind of a mentor?
JOE SULLIVAN: Yes. And sometimes – it's interesting. Like, in the last year, I’d say about six months ago, I was doing two consulting projects with two different startups, and they were almost at the same stage.
And one of them decided – the CEO decided, I would like to have a dedicated security person who can report to me. I – I'm very concerned about my intellectual property. We're about to launch a Series A and announce it, and we're going to get a lot more scrutiny and potential threats from third parties. So they wanted to have somebody good on board and who had, like, 60 to 90 days in seat before they even announced their Series A.
I had a different company that was almost at the same pace and same risk level. They felt that their engineering team was very hands-on. So I did a – I think I did a 90-day sprint with them where we went through and made sure they had their security basics in place.
And then they switched me to be an advisor who meets with them once a month and calibrates, and makes sure that the two people on the engineering team tasked with it are continuing to push the ball forward. And then I also regularly still talk with that CEO about, okay, is now the right time to bring in someone?
In their case, we brought in an outside IT firm that has a bunch of security expertise as well. So they kind of have two engineers on the inside with me coaching them along and an outsourced IT firm that has a lot of experience, that's helping them actually calibrate their system to implement.
LAUREN IPSEN: If I'm a founder, how do I know when to outsource and when it makes sense to just bring someone in in a full-time capacity?
JOE SULLIVAN: It's always a question of comparing what you get with each. And so, with the outsourcing, institutional knowledge is lost when you move away from them. And so, if you're – if you're making a lot of expensive strategic decisions about security, you kind of want to bring in somebody that can make those decisions with the long-term in mind, rather than the short-term in mind.
Like, one thing when I talk to a lot of founders that surprises them about cybersecurity is how expensive it is. It's not – it's not enough to just hire an outside consultant to come and do a 90-day sprint with you. And I think sometimes when I talk to startups, they decide not to bring me in because they realize they won't just be paying for me, they'll be paying for all of the different tools.
Because in cybersecurity, it's a little bit technical work inside the company, or maybe a lot, depending on how custom your environment is. But then beyond that, there is a bunch of upgrading of seat licenses that you are already have to get better versions of the products. So a company might already have rolled out email. A security person's going to tell them, “Well, we need to upgrade the email system, and we probably need an email security product too.”
The company has already given out laptops, but they might not have put an endpoint security solution on it. And they're going to have to roll that out. And so, security offers a lot of costs, and that's something that you have to be ready for. But it's counterbalanced by your spending to reduce risk.
And that's where I find a lot of CEOs reach out to people like me when they're at the point that they've internalized, I'm taking on a lot of risk if I don't start investing in security.
LAUREN IPSEN: Yeah. So it sounds like you're saying, the better – I guess, the earlier that you can at least start thinking about these things and trying to be proactive around what could happen, the better. But maybe it's not bringing someone in necessarily in a full-time capacity until it feels like you're really thinking about the longer-term incentive and really where you want to be focusing on spend.
But it does make sense to at least have someone in the fold or someone that can give you some guidance around how to build the foundations and do things in the right way. Is that correct?
JOE SULLIVAN: Yeah. I think that's correct. You're just – there are some things that you want to do right away. You know, setting up – say you're using a Google Workplace workspace, setting up, for example, so that your Google Docs aren't automatically shared with everyone on the internet. Or if you're using AWS, making sure that your buckets aren't shared with everyone on the internet.
You're going to set up, probably your – you know, your email and your documents and your cloud infrastructure very, very early. And you need someone to look at that at the time you're setting it up.
LAUREN IPSEN: Okay. With that in mind, I personally have found that CISOs can often come from nontraditional backgrounds. They can come from a lot of different places. So I'm curious, in your mind, where you think the best CISOs come from?
JOE SULLIVAN: I think that founders should be open to a wide – the idea that security people can come from lots of different backgrounds. It's just the reality of how the profession has evolved that, you know, 20 years ago, there just weren't programs and universities that were at all helpful for developing people into this role.
And even now, it's a work in progress from the university standpoint. So if you're hiring a CFO, you're going to see lots of resumes that look very similar because the career path has been figured out. We haven't really, quote/unquote, “figured it out” in cybersecurity. And, in fact, different organizations are biased towards different – of the kind of – different types of profiles.
Those highly regulated industries, bias towards a leader who knows the regulations, spends a lot of time living in spreadsheets, lining up controls against expectations. Whereas if you're not in a regulated industry and you're doing a lot of custom development work, you're going to bias towards someone who came out of an application security background or software engineering background themselves. And so, you'll see CISOs ranging from those areas. And then you'll see sometimes organizations need someone who has an expertise in policy, or, more and more lately, trust and safety.
You know, trust and safety in some organizations is completely separate from security, but in other organizations, they're together.
LAUREN IPSEN: I was just going to ask about that. So why is that the case? That sometimes that'll be living in a completely different world, and then other times, trust and safety and security go very much so hand-in-hand.
JOE SULLIVAN: It is – it's because those things kind of grow organically. And where the need for trust and safety often comes up is on the product and engineering sides, because – so you have a product and engineering team. They're building a product that brings – say you're a platform and you bring together buyers and sellers, or – like, I started at eBay. We brought together buyers and sellers.
Then I went to PayPal. We brought together merchants and consumers. Facebook, we brought together lots of different people and advertisers, et cetera. At Uber, we brought together drivers and riders.
And so, when you're managing a platform like that, you're not just responsible for creating the code that brings together these disparate parties. You're responsible for managing the risk of bringing them together. And so that's what we talk about when we say trust and safety, is, like, if you're allowing users to interact with each other – I mean, you could also be Reddit, where there's different people on forums together, arguing with each other, and you have to moderate that and come in and kick people off.
And so, in the – in trust and safety, it can be protecting people from fraud, but it can also be, you know, detecting – protecting kids from predators, and everything in between. And so, not everyone who has that cybersecurity background, who understands how to do application security and meet those regulations, is going to be experienced at all in thinking about trust and safety.
LAUREN IPSEN: Mm. Mm-hmm. Okay. Makes perfect sense. In your opinion, what separates a good CISO from a great CISO?
JOE SULLIVAN: Yeah. I think the biggest challenge for most CISOs is that they get so – they live so much in their own world that they forget how to communicate with normal human beings who don't understand the language of cybersecurity. And that is particularly important if you're the CEO.
You are – the CEO is ultimately responsible for everything at the organization, including security. So, by hiring a security leader, they're not abdicating any responsibility. They're just delegating it to someone. And so, from the CEO standpoint, they want to be able to understand what's going on over in security. And they want to trust that that person understands the business.
Cybersecurity leaders are often viewed – and security people in general are often viewed as the department of no, you know? And so, like, I can give you an example. Pretty early in my career as a CISO, I had an executive coach, and she said – she said to me, “Joe, when the other leaders see you coming, they see that Peanuts character who has the cloud of dust over his head, because you only go talk to them when you're telling them, ‘No, you can't do something because it's too risky,’ or you're telling them, ‘You got breached.’” So you're just, like, that security leader who isn't sophisticated about the business – only shows up when they're delivering bad news.
I think that a CEO wants to find a security leader who can show up and help the rest of the business because the security leader, just by nature of their job, gets to see everything that's going on across the company, more than probably anyone else who reports to the CEO.
Sure, the general counsel is responsible for anything legal, and CFO is responsible for anything financial, but the technology universe of an organization, as it grows, it gets incredibly complex. The CTO is probably focused on the product side. And then you might have a CIO who’s focused on the enterprise – you know, somebody managing the IT department.
And then there might be other technology that's being used over in sales that neither of those CTO or CIO is involved with. But the security person needs to understand all of it. And that – because they're the department of – they're trying not to be the department of no, they're actually meeting with and debating and getting to good results with leaders across all of the company.
And so, I think CEO should expect that the CISO should be a general risk counselor to the CEO and somebody who can go implement technically the solutions to get the company to the right risk profile.
LAUREN IPSEN: Yeah. Huh. Very, very interesting. Final question for you. What are the biggest misconceptions around being a CISO or running security? And what are the biggest challenges you think that you take head-on in that role?
JOE SULLIVAN: The biggest challenge is that a lot of business leaders think about cybersecurity the way it was five years or 10 years ago. Things have fundamentally changed in the last two years in terms of the expectations around cybersecurity investment by corporations.
In March of 2023, so just a little bit over a year ago, the Biden administration put out a policy, and it was very clear. It said, we are shifting responsibility for cybersecurity in this country to those who have the means to do it. And, if you read on and on, you realize they're saying it's – the responsibility’s moving to the companies.
In the past, I was on President Obama's Cyber Commission in 2016. When I was doing that with the other cyber leaders appointed by the government, we talked about a public-private partnership that was voluntary and hopeful. I think too many people have gotten hurt by under-investment in cybersecurity. And now the government is saying expectations are much higher.
And the threat is against the individuals in the corporation. You know, the Change Healthcare breach situation that was in the news a lot over the last couple of months, the CEO got grilled on Capitol Hill before Congress. And we're seeing enforcement actions where CEOs at startups like Drizzly – being held accountable personally.
The CEO of Drizzly was deemed to have not invested enough in cybersecurity, and now, if he becomes a CEO anywhere else, the consent decree follows, and that company inherits that oversight from the federal government.
And so, a CEO today needs to think about cybersecurity differently than they might've thought about it three or five years ago.
LAUREN IPSEN: Super, super helpful. I am so grateful that you came on, and I think this is going to be incredibly helpful to all of our founders. So, thank you, Joe, so much for the wisdom and the insights.
JOE SULLIVAN: Awesome. Thanks for having me on.
LAUREN IPSEN: Yeah, my pleasure. And thank you all for tuning in to Never Too Early. More to come soon.
Share this post