Uber’s New Security Chief Is Ex-NSA. Is He Up to Its Transparency Challenge?
Uber is on a quest to regain people’s trust, and that’s not just about becoming a more ethical, law-abiding company that takes passenger safety more seriously—it’s also a cybersecurity matter, following last year’s revelation of a hack that compromised the personal data of 57 million users.
A reminder: chief security officer Joe Sullivan paid the hackers $100,000 (with former CEO Travis Kalanick’s approval) to delete the stolen data and sign non-disclosure agreements, in an attempt to cover up the incident. That’s a really bad practice, to put it mildly, and the company was lucky to walk away with a mere slap on the wrist from the Federal Trade Commission.
Uber, now under the leadership of Dara Khosrowshahi, has finally found its replacement for Sullivan: Matt Olsen, a former National Security Agency general counsel and National Counterterrorism Center director, and until recently the president and chief revenue office at IronNet Cybersecurity, which he co-founded with former NSA chief Keith Alexander.
Olsen is certainly making the right noises. Per the New York Times, Uber’s secretive hack-hiding strategy “doesn’t make sense” to him. “I think they understand the need to be transparent and ethical, and vigilant in complying not just with the laws and regulations that apply, but the norms and standards that Uber customers and stakeholders expect of the company,” Olsen said.
Crucially, Olsen intends to unify Uber’s security team, which currently has separate groups dealing with online and physical security. That’s good: a platform straddling physical and virtual layers needs to treat safety in a cohesive way.
You may be forgiven for raising an eyebrow at this Olsen quote, though: “For any large organization, whether you’re talking NSA or a company like Uber, having a plan and having practiced and exercised how to respond to a breach is critically important.”
The NSA also had an extremely high-profile breach several years ago, courtesy of whistleblower Edward Snowden, that caught the organization entirely by surprise. And leaked NSA hacking tools have been used by malicious actors, most notoriously in the WannaCry ransomware epidemic. Albeit for understandable reasons, the agency’s responses to these catastrophes could not be described as particularly transparent.
In fairness, all this happened after Olsen’s time at the agency. Uber’s new hire certainly does carry credentials that suggest he understands the reality of breaches and their prevention and mitigation. If Uber falls victim to future breaches, though, let’s hope he’s serious about the need for transparency.
A version of this story first appeared in CEO Daily, Fortune’s daily newsletter on succeeding big in business. Subscribe here.