Former Facebook security chief Alex Stamos: Being a CSO can be a ‘crappy job’

Alex Stamos has been at the helm of some of the world’s most powerful companies for the past half-decade and is widely regarded as one of the smartest people working in the security space.

Now, just a month into his new gig as an academic, he can look back at his time with a dose of brutal honesty.

“It’s kinda a crappy job to be a chief security officer,” said Stamos, Facebook’s former security chief, in an interview with TechCrunch at Disrupt SF on Thursday.

“It’s like being a [chief financial officer] before accounting was invented,” he said.

“When you decide to take on the [chief security officer] title, you decide that you’re going to run the risk of having decisions made above you or issues created by tens of thousands of people making decisions that will be stapled to your resume,” he said.

Stamos recently joined Stanford University after three years as Facebook’s security chief. Before then, he was Yahoo’s chief information security officer for less than a year before he departed the company, reportedly in conflict with then-Yahoo chief executive Marissa Mayer over the company’s complicity with a secret government surveillance program.

His name is synonymous to many as a fierce defender of user security and rights, but he was at the helm when both his former employers were hit by security scandals — Yahoo had a a three-billion user data breach, and Facebook with the Cambridge Analytica voter profiling incident. Although inherited, he said he wasn’t going to “shirk” the blame.

“I was the CSO when all this stuff happened — it was my responsibility,” he said.

“I also hope I was able to make things better,” he said. “If you’re making individual decisions that you believe are ethical and moral that are pushing the ball in the right direction, in the end if things are imperfect, you have to live with yourself and continue to do good things.”

He said most companies have to navigate security, but also privacy and misuse of their products.

Stamos admits that while he came from a “traditional CSO” background, he quickly learned that the vast majority of harm caused by technology “does not have any interesting technical component.”

Speaking to disinformation, child abuse and harassment, he said that it’s the “technically correct use of the things we build that cause harm.”

He said that the industry needs to vastly expand how companies deal with issues that encompass but don’t fall within the strict realm of cybersecurity. “There’s not really a field around it,” he said, talking to the need to redefine “cybersecurity” to also include issues of trust, safety and privacy — three things that are important for companies to be working to ensure, but don’t necessarily fit into the traditional security model.

“There’s not a tech company starting up right now that is not going to have to worry about these trust, safety and privacy issues,” he said. “And hopefully we can take some of those lessons and spread them out a bit more.”

“I’ve learned a lot of things from the failures I’ve seen up close and I want other people to learn about them,” he said. That, he said, is one of the things he wants to help teach at Stanford, where he’s likely to stay for some time.

Asked if he would ever go back to a previous role as a chief security officer, “not for quite a long time,” he said.