Sounil Yu, CISO at JupiterOne, talks about imposter syndrome, communicating in business-relevant terms and pinpointing gaps in organizations’ security programs. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: What have been some of the biggest lessons learned from your time in security thus far?
Sounil Yu: It’s normal to have imposter syndrome. In fact, if you don’t, you are probably fooling yourself. Our digital environments are extraordinarily complex and there’s no possible way that any one person can understand it all. It should be expected that we each individually will only deeply understand a small fraction of it. Nonetheless, we should strive to understand the bigger picture view of the interdependent parts of our environment because it is in those intersections where we most frequently see security issues.
Lindsey O’Donnell-Welch: What is important for cultivating a “security culture” in a business? Where do you start and who needs to be involved?
Sounil Yu: First, it’s important to promote psychological safety to reinforce a strong security culture. We want to invite people to point out flaws, find holes in our environment. We shouldn’t shun this because if we do, we shut down the willingness for others to raise seemingly minor concerns around unreported vulnerabilities and unanticipated threats. We want open dialogue with the business to ensure that we are fully aware of potential security risks and apply the appropriate level of attention to them.
Second, we want to distinguish between cyber safety and cyber security. To simplify the distinction between safety and security, it helps to put another descriptor in front of these words. For example, food safety practices include hygiene, third-party inspections, and checklists. Food security evokes concerns about the shortage of baby formula, poisoning of the food supply, and starvation. Food safety and food security are not the same.
Individual choices have a direct impact on our safety. For example, most of us know what steps we can take to improve our personal hygiene and are appalled when others neglect or ignore such simple steps. Security on the other hand, is often seen as someone else’s responsibility with the individual usually limited to a passive “see something, say something” role.
Safety requires active participation from everyone and most people embrace safety measures as a personal responsibility. Individuals can see how they can directly contribute to the improvement (or deterioration) of safety. We can promote a “cyber safety” culture through instilling a greater sense of personal responsibility and accountability among all organization's stakeholders to maintain proper cyber hygiene by appropriately recasting many common cyber activities that we ask of others (e.g., patching) as actions to promote cyber safety.
“There are many CISOs that still remain in a vulnerability-centric role.”
Lindsey O’Donnell-Welch: What are the most critical steps for organizations to build an effective cybersecurity program? What is the very first step you’d recommend?
Sounil Yu: It is vitally important to understand how the business operates and what it considers to be its most critical functions. Implementing security controls without consideration of the business would be like putting on a steering wheel lock on a car while it is being driven.
Lindsey O’Donnell-Welch: How can organizations pinpoint gaps in their existing security programs?
Sounil Yu: I created the Cyber Defense Matrix as a way to comprehensively understand one’s existing security program and pinpoint gaps in that program. It is a simple mental model that characterizes the broad scope of security functions applied towards our assets, helping us to quickly see gaps at a strategic level.
Lindsey O’Donnell-Welch: What top security advice do you have for organizations?
Sounil Yu: Focus less on pet care and more on pet control. Our security challenges are exacerbated by uncontrolled pet adoption within our enterprises. As cyber veterinarians, we are stretched thin by all the new pets that the business unintentionally adopts into the enterprise. These pets eventually become legacy systems that demand great care and attention. Others are neglected and incur liability when stolen or infected. Spending more time on pet control (e.g., data minimization, PII vaults, ephemeral systems) helps the business avoid these unintended outcomes.
Lindsey O’Donnell-Welch: When evaluating the IT landscape, what top security threats keep you up at night right now?
Sounil Yu: The broad proliferation of corporate data through SaaS apps and their associated plugins and integrations. While there is tremendous value in these integrations, it is very difficult to contain this corporate data across the SaaS ecosystem. This results in a rapidly growing attack surface where the compromise of one SaaS app could result in an attack path that leads to the exposure of corporate data well beyond what is contained in just that one SaaS app.
Lindsey O’Donnell-Welch: How has the job of CISO evolved over time, either in CISO responsibilities themselves or how CISOs are perceived by others across organizations?
Sounil Yu: The CISO’s role has evolved from being strictly focused on vulnerabilities, moving onto a threat-centric focus, and more recently, into a risk management role. There are many CISOs that still remain in a vulnerability-centric role.
CISOs need to be able to speak in business-relevant terms so that their security activities and initiatives are understood and appreciated in the proper context. CISOs have a tendency to be overly fixated on all the unaddressed vulnerabilities and that usually results in them becoming marginalized or ineffective.