Joe Sullivan is the Chief Security Officer at Facebook, where he manages a small part of a company-wide effort to ensure a safe internet experience for Facebook users. He and the Facebook Security Team work internally to develop and promote high product security standards, partner externally to promote safe internet practices, and coordinate internal investigations with outside law enforcement agencies.

Being the CSO of Facebook certainly puts you into the spotlight. How have your prior positions prepared you for your work at Facebook?

I can think of two important ways my prior positions have helped prepare me for my current responsibilities. Before Facebook I worked as a federal prosecutor working on cybercrime cases that were in the media every day and then worked at eBay during the early part of the 2000s when that company was celebrated and scrutinized, . In both of those places I was challenged to develop creative solutions - because we were breaking new ground in areas where there was not much precedent. Likewise, in both I learned how to stay effective and focused even when under a serious microscope. Both skills, the ability to develop creative solutions to new and unique problems, and the ability to stay focused on addressing real risks and threats while under great scrutiny, are critically important for succeeding in my role at Facebook.


Facebook has partnered with the National Cyber Security Alliance on the STOP. THINK. CONNECT. campaign over two years ago. What are your thoughts about how public-awareness-raising campaigns can be improved in the future?

If you look at internet education safety campaigns before this effort by NCSA, you see a bunch of different parallel efforts focused on the same problems but using different tactics and terminology. This initiative is important because it brings together an incredibly wide spectrum of technology, communication and other companies to work with government on developing unified messaging. Having consistent terminology is critical to education in a complex area and with this effort the sum of our individual efforts working together is much greater than it would be if we invested the same in education but without this degree of coordination.

Facebook launched its bug bounty program in August last year and has already doled out quite a sum to outside security experts. Have there been any great surprises? Has the program influenced the way that the security team approaches code reviewing? Did you offer employment to a particularly successful bug hunter/are you thinking about doing it?