CISO-in-Residence, YL Ventures

September 3, 2020

As the CISO-in-Residence of YL Ventures, a cybersecurity-focused venture capital firm, Sounil Yu provides entrepreneurs first-hand insights into product development, customer needs and how global enterprises evaluate cybersecurity vendors and their solutions pre- and post-investment.

Previously, Yu served as Bank of America’s chief security scientist, where he led a cross-functional team of experts dedicated to driving cybersecurity innovation. There, he pioneered the organization’s adoption of FAIR, a quantitative cyber risk analysis methodology, to enable the team to understand and evaluate risk more effectively. He also served as the University Dean for Bank of America’s internal training and education program and served as the executive sponsor for DevCon, an internal Bank of America conference.

Yu’s most influential business accomplishment is the creation of his Cyber Defense Matrix, a framework for understanding and navigating the cybersecurity landscape. He has developed use cases that make the Cyber Defense Matrix practical for many purposes, such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. Elements of the Cyber Defense Matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls and has also been adopted by the OWASP Foundation. He also developed the DIE Resiliency Framework (a.k.a. DIE Triad), which advocates for three paradigms (Distributed, Immutable and Ephemeral) to replace the CIA Triad. Yu is also a board member for the FAIR Institute and SCVX; a co-chair of Art into Science: A Conference on Defense; IANS faculty member; and a visiting fellow at the National Security Institute.

Previously, Yu led the FS-ISAC Measurements and Metrics Working Group to develop a unified corpus of measurements to consistently measure security posture and derive useful cyber risk metrics for executive level reporting. He co-chaired OASIS OpenC2 (a security standards group) to support interoperability of defensive technologies enabling machine-level speed for response actions.

“My career advice would be to have a security mindset that is intensely curious and willing to poke holes in the status quo. However, this must be done in the name of improvement. For every hole that you poke, don't just point it out, but be ready to roll up your sleeves and take concrete steps to make it better. It is easy to throw a brick through a window and blame the window engineer for bad design or for its inherent vulnerabilities. It's much harder to help the engineer build a better window that can withstand that brick and still let in light,” Yu says.

Yu is most proud of the cybersecurity internship programs that he led over the last decade. “Through these efforts, I had the opportunity to shape the career trajectories of over 500 interns and equip them with skills to tackle the many challenges we face in the cybersecurity industry,” he notes. “We often lament that we do not have enough qualified and diverse cybersecurity professionals to fill the hiring pool. I take pride in making meaningful contributions to this long-term talent pipeline and helping future cybersecurity experts find solid footing in cybersecurity.”

To do his part during the pandemic, Yu is a volunteer for Project N95, an organization connecting healthcare providers with manufacturers and suppliers of critical equipment. When he is not helping his community, he enjoys playing board games and video games with his children.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 December

This month, Security magazine brings you the 2020 Guarding Report - a look at the ebbs and flows security officers and guarding companies have weathered in 2020, including protests, riots, the election, a pandemic and much more. Industry experts discuss access management and security challenges during COVID-19, GSOC complacency, the cybersecurity gap, end-of-year security career reflections and more!

View More Create Account

Security's Most Influential People in Security 2020 - Sounil Yu

CISO-in-Residence, YL Ventures

Related Articles

Related Products

Related Events

Report Abusive Comment