Sullivan was a rock star. He was one of the first federal prosecutors to work on cybercrime cases in the late 1990s and went on to become the chief security officer at Facebook.

Mr. Sullivan was a well-known figure when the security community went to Las Vegas for conferences.

Renee Guttmann was the chief information security officer for Coca-Cola and Campbell Soup. He was a leader in his field.

It was a shock to many in the community when Mr. Sullivan was fired by the ride sharing company. Mr. Sullivan was hired as chief of security at Cloudflare despite the scandal.

In 2020, the same prosecutor's office where Mr. Sullivan had worked decades earlier charged him with two felonies, in what is believed to be the first time a company executive has faced criminal liability. Mr. Sullivan has not entered a plea.

Mr. Sullivan took a leave of absence from his job at Cloudflare in July to prepare for his trial. Chief security officers are concerned about what the case will mean for them.

Chief information security officers, or CISOs, are responsible for ensuring that their companies' data remains safe from hackers and fraudsters, a high-stakes job that has become increasingly difficult

T-Mobile, OpenSea, and the NFT marketplace have all been hacked in the last year. CISOs are wondering what will happen if their security fails. They worry that the outcome of Mr. Sullivan's trial will set a precedent for who is at fault. They might be left with the bag.

ImageMr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers.
Mr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers.Credit...Jeenah Moon for The New York Times
Mr. Sullivan learned that hackers had secured access to the personal data of about 600,000 Uber drivers and some personal information associated with 57 million riders and drivers.

Ms. Guttmann said that the case of Mr. Sullivan had made her think more about the problem of ransomware, when a company is locked out of its files and forced to pay a fee in order to get them back. Many companies pay the ransom, according to a survey.

She wanted to know if all of them would be prosecuted six years from now.

Security executives worry about being on the hook for legal costs. The legal costs of executives who are sued as a result of their work with a company are covered by directors and officers insurance.

A lot of chief information security officers go to their bosses and ask if they have D.O. insurance. Mr. Blauner spoke. Legal coverage is what they are saying if they are going to be held liable.

The Sullivans reached a private settlement after Mr. Sullivan sued the company to get his legal fees paid.

Some security officers are sympathetic to Sullivan's handling of the security incident at the center of the criminal case. According to a criminal complaint, Mr. Sullivan found out in 2016 that hackers had gained access to the personal data of 600,000 drivers. According to prosecutors, Mr. Sullivan directed those responsible to the company's bug bounty program, which was set up as a financial incentive for third parties to report its security vulnerabilities.

The criminal complaint states that the two men in their 20s were paid $100,000 in Bitcoins and had to sign non-disclosure agreements. The Federal Trade Commission was investigating the company for its privacy and security practices.

ImageDara Khosrowshahi, who took over as chief executive of Uber in 2017, fired Mr. Sullivan.
Dara Khosrowshahi, who took over as chief executive of Uber in 2017, fired Mr. Sullivan.Credit...Annie Tritt for The New York Times
Dara Khosrowshahi, who took over as chief executive of Uber in 2017, fired Mr. Sullivan.

When Mr. Sullivan was fired, it became public. Companies are required to inform individuals when their data has been exposed. Two men pleaded guilty to hacking

The member of the security team who spoke on the condition of anonymity said he wasn't surprised that Mr. Sullivan had been indicted. He said that it was not uncommon for people who found vulnerabilities to be directed to the company's bug bounty program.

Mr. Sullivan is accused of obstructing justice and concealing a felony for failing to tell the F.T.C. The company didn't want to comment.

Michael Sierchio, who was a member of the security team, said that Mr. Sullivan had been unfairly targeted.

Mr. Sierchio said that he was being blamed. He is a former prosecutor, so the government thinks he knows better.

The New York Times spoke to several chief security officers who were concerned that Mr. Sullivan was the only one held accountable at the company. The legal department and the chief executive make that decision. There was no comment from Mr. Kalanick.

The judge seemed to agree that Mr. Sullivan was responsible for the actions of the company.

The judge said that he had not realized that the case was against the ride-sharing company.

There was no comment from the U.S. attorney. The state will show what Mr. Sullivan did to undermine the legal obligations of the company.

Steve Zalewski, a former chief information security officer for Levi Strauss, described the field of cybersecurity as still evolving, having grown up alongside the internet over the last 30 years, and said calls like the one that Mr. Sullivan had made were difficult.

"Because it is relatively young, we don't have that body of law and body of knowledge that's derived over time to know where the line is." Every day, bad guys attack us. We are defending the company.

Chief security officers are not always easy to please. The chief information security officer at the data broker Equifax kicked off a spirited discussion onLinkedIn when he accused those defending Mr. Sullivan of "tribalism."

ImageUber’s offices in San Francisco. The prosecutor said that Uber had legal obligations around security and privacy and that the state’s evidence would show that Mr. Sullivan undermined those obligations.
Uber’s offices in San Francisco. The prosecutor said that Uber had legal obligations around security and privacy and that the state’s evidence would show that Mr. Sullivan undermined those obligations.Credit...Jason Henry for The New York Times
Uber’s offices in San Francisco. The prosecutor said that Uber had legal obligations around security and privacy and that the state’s evidence would show that Mr. Sullivan undermined those obligations.

Mr. Farshchi wrote that it was easy to downplay accountability when fighting for your tribe. The U.S. v Sullivan trial will start in September, but the key lesson here is one that almost every CISO has experienced firsthand: when faced with a lose-lose decision, do the right thing.

As Mr. Sullivan's trial approaches, another high-profile former security chief is in the news for revealing security problems rather than hiding them. Peiter Zatko, who was fired as head of security at Twitter in January, claimed that his former company had hidden security vulnerabilities from regulators.

The weight of the world is on our shoulders according to the chief information security officer at the software company. I don't have as much hair as I used to.

Up to 1,500 businesses were affected by a cyber attack from a Russian-based cybercriminal group. Mr. Manar took a security job at the company at the end of 2021.

He said that the difference between the two incidents was that Kaseya had quickly disclosed the hack and worked with law enforcement officers, which gave him the confidence that the company would have his back if anything went wrong again. He was hoping that Mr. Sullivan's case would be an exception.

He acknowledged that there are risks to being the person in charge.

He said that the stakes are high for CISOs. It comes down to an ethical and moral responsibility, as well as a legal responsibility, to just do what's right.

Ms. Guttmann was the former CISO for Coca-Cola and Campbell. She spoke with people who were supportive of Mr. Sullivan but discouraged by his situation.

She said that people who were senior at their job would not take the CISO job. The liability. People think this can be a short-term job.