Security's Most Influential People in Security 2020 - Sounil Yu | 2020-09-03

CISO-in-Residence, YL Ventures

As the CISO-in-Residence of YL Ventures, a cybersecurity-focused venture capital firm, Sounil Yu provides entrepreneurs first-hand insights into product development, customer needs and how global enterprises evaluate cybersecurity vendors and their solutions pre- and post-investment.

Previously, Yu served as Bank of America’s chief security scientist, where he led a cross-functional team of experts dedicated to driving cybersecurity innovation. There, he pioneered the organization’s adoption of FAIR, a quantitative cyber risk analysis methodology, to enable the team to understand and evaluate risk more effectively. He also served as the University Dean for Bank of America’s internal training and education program and served as the executive sponsor for DevCon, an internal Bank of America conference.

Yu’s most influential business accomplishment is the creation of his Cyber Defense Matrix, a framework for understanding and navigating the cybersecurity landscape. He has developed use cases that make the Cyber Defense Matrix practical for many purposes, such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. Elements of the Cyber Defense Matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls and has also been adopted by the OWASP Foundation. He also developed the DIE Resiliency Framework (a.k.a. DIE Triad), which advocates for three paradigms (Distributed, Immutable and Ephemeral) to replace the CIA Triad. Yu is also a board member for the FAIR Institute and SCVX; a co-chair of Art into Science: A Conference on Defense; IANS faculty member; and a visiting fellow at the National Security Institute.

Previously, Yu led the FS-ISAC Measurements and Metrics Working Group to develop a unified corpus of measurements to consistently measure security posture and derive useful cyber risk metrics for executive level reporting. He co-chaired OASIS OpenC2 (a security standards group) to support interoperability of defensive technologies enabling machine-level speed for response actions.

“My career advice would be to have a security mindset that is intensely curious and willing to poke holes in the status quo. However, this must be done in the name of improvement. For every hole that you poke, don't just point it out, but be ready to roll up your sleeves and take concrete steps to make it better. It is easy to throw a brick through a window and blame the window engineer for bad design or for its inherent vulnerabilities. It's much harder to help the engineer build a better window that can withstand that brick and still let in light,” Yu says.

Yu is most proud of the cybersecurity internship programs that he led over the last decade. “Through these efforts, I had the opportunity to shape the career trajectories of over 500 interns and equip them with skills to tackle the many challenges we face in the cybersecurity industry,” he notes. “We often lament that we do not have enough qualified and diverse cybersecurity professionals to fill the hiring pool. I take pride in making meaningful contributions to this long-term talent pipeline and helping future cybersecurity experts find solid footing in cybersecurity.”

To do his part during the pandemic, Yu is a volunteer for Project N95, an organization connecting healthcare providers with manufacturers and suppliers of critical equipment. When he is not helping his community, he enjoys playing board games and video games with his children.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.