Uber announced on Thursday that it is hiring its first chief security officer: Joe Sullivan, who was lured from the same role at Facebook.
The ride-hailing company is quickly becoming known as an aggressive recruiter, and Sullivan is a big get: He got his digital start as a Department of Justice prosecutor focused on computer crimes before making to leap to the private sector at eBay, where he worked as a senior security director for years before heading to Facebook in 2008.
But his hiring also raises questions about why Uber didn't have a chief security officer for the first six years of its existence and the perils of a larger start-up culture that collects data first and secures it later.
"Security is an afterthought," said Tyler Shields, a senior security analyst at Forrester Research. In the fast-paced start-up world, companies are developing products and getting them into the hands of users as fast as possible to see what sticks, he said, which can mean pushing things out the door without putting security controls in place.
"Applications can live without security controls and be functional so people will buy them. But security controls can't exist without an application," he explained. When start-ups weigh the costs, it can make more economic sense to focus on improving the functionality of core products before figuring out how to secure them -- even if that leaves consumers potentially at risk.
The nature of Uber's business, connecting riders with drivers in their vicinity, means it collects a lot of revealing data about how users move around the physical world. It also has access to customers' payment information, which is a juicy target for financially motivated hackers.
And Uber's privacy and security practices have had a bruising year: The company acknowledged in February that a breach the previous year exposed the drivers' license numbers and names of some 50,000 customers. Last fall, an executive at the company came under fire for allegedly suggesting it could dig up dirt on a journalist critical of the company during a dinner party, and Uber's privacy practices faced considerable scrutiny after reports that a general manager used its ominously labeled "God View" to track a journalist's trip without her consent.
But through all of this, the company didn't have a chief security officer.
That's not to say the company didn't have resources dedicated to security: A review of Uber's privacy program by law firm Hogan Lovell released in January said the company has a "data security program that is reasonably designed to protect" consumer data and that a "cross-functional privacy and security team meets regularly" to asses potential data security risks.
"With millions of riders being supported by an always-growing data infrastructure, we’ve invested significantly in expanding and improving safety and security," Uber chief executive Travis Kalanick said in a blog post announcing Sullivan's hiring. "We’ve also been looking for the right individual to oversee our global cybersecurity and safety efforts — someone who understands what makes Uber unique."
But a company spokesperson did not immediately respond to a Washington Post inquiry about why the company had waited until now to create the chief security officer role. That the job didn't exist at Uber until now may reflect where the issue fit into the company's list of priorities. And Sullivan's hiring may not necessarily signal that the company will buff up its cybersecurity practices, according to Shields.
"There are two different ways a chief security officer can act -- internally, trying to make sure everything is safe or outward-facing to demonstrate that they have someone at least thinking about these issues," he explained. Sullivan, whose background is more policy-oriented than technical, seems like more of the latter choice to Shields -- a hire aimed at calming customers and making the company appear more responsible to governments when it attempts to break into new markets.
Still, the hiring of any sort of chief security officer may signal that Uber is starting to grow up from its start-up roots.