5 Minutes with Sounil Yu, CISO-in-Residence at YL Ventures

After a seven-year tenure as Chief Security Scientist at Bank of America, Sounil Yu joined YL Ventures as Chief Information Security Officer-in-Residence. YL Ventures is a Silicon Valley venture capital firm investing in Israeli cybersecurity startups, and Yu brings world-class cybersecurity expertise to further enrich the organization's ability to provide entrepreneurs – pre- and post-investment – first-hand insights into product development, customer needs and how global enterprises evaluate cybersecurity vendors and their solutions.

Yu is the creator of the influential Cyber Defense Matrix, a popular tool for organizing, evaluating and discovering security capabilities and solutions, and the inventor of the DIE Resiliency Framework, which has shaped the views of the overall security ecosystem. In a career spanning more than three decades, he has enjoyed productive tenures supporting Fortune 100 firms and national security organizations. Yu is a consummate cybersecurity professional, with 22 granted patents encompassing threat modeling, intrusion monitoring, endpoint security, attribution and other cybersecurity and IT disciplines.

Security Magazine: As a CISO, what is your main focus?

Yu: This CISO-in-Residence role is a bit different than the traditional CISO role. The "In-Residence" part doesn't just mean that I can work from home. Rather, it's meant to mimic the notion of an "Entrepreneur-in-Residence," which is an experienced individual that serves to advise startups and entrepreneurs, guiding them on the journey of creating successful companies that are tackling hard problems. As CISO-in-Residence, I'm doing something similar, but focused on the needs of a CISO and providing insights on the hard problems that we see in cybersecurity.

Security Magazine: How did previous roles prepare you for this role?

Yu: My previous role was as Chief Security Scientist at Bank of America. In that role, I had the opportunity to meet with hundreds of early stage cybersecurity companies trying to do business with Bank of America.

Security Magazine: Which ccomplishment are you most proud of in your previous roles?

Yu: I'm most proud of my work on the Cyber Defense Matrix. It is something that I created to help organize everything in cybersecurity. Initially, I created it to organize and understand what all these cybersecurity startups do, but it has turned out to be extraordinarily useful for a lot of other use cases, such as rationalizing technologies, measuring control coverage and effectiveness, identifying control gaps, optimizing resource allocation and organizing security design patterns.

Security Magazine: What are your initial priorities over the next six months?

Yu: Over the next six months, my priority is to engage the entrepreneurs within our existing portfolio of companies at YL Ventures and to ideate with aspiring entrepreneurs in the Israeli ecosystem.

Security Magazine: In the long term, what do you hope to accomplish?

Yu: To answer this, I need to give a little background. Another accomplishment that I'm proud of is the DIE Resiliency Framework. It articulates the need to think differently about the future needs in security. The DIE Resiliency Framework advocates for three new paradigms for how we secure systems. The old paradigm focuses on Confidentiality, Integrity and Availability, or what we know as the CIA Triad. The new paradigm focuses on building systems to be Distributed, Immutable and Ephemeral, or what I'm calling the DIE Triad. What's interesting about the DIE Triad is that if you build systems to DIE, then you don't need to CIA them at all. So over the long term, I'm hoping to nudge the industry towards aligning against the DIE Triad and to make DIE-like design patterns more readily available and easier to implement.

Security Magazine: Have you had the opportunity to mentor other individuals?

Yu: I know that there are many people that I've worked with who look to me as a mentor, and I appreciate that sentiment. But I think each of us come in with distinct and diverse skill sets that we can each learn from, so while I might serve as a mentor and advisor in a very limited area of expertise, I see the many so-called "mentoring sessions" that I've held as an opportunity for me to also learn from others and grow my understanding of the complex world around us.

Security Magazine: What do you like to do in your free time?

Yu: Well, in the immediate term, I'm volunteering for Project N95, which is a national clearinghouse to connect healthcare providers with manufacturers and suppliers of critical equipment. It was set up to get personal protective equipment, such as gowns, gloves, ventilators and masks, to frontline medical workers across America by helping vet suppliers and make it easier for healthcare providers to get the equipment that they need. Otherwise, I like using my free time to play boardgames and video games with my kids.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.