I didn't want to be a CISO - Sounil Yu joins JupiterOne

by

I didn't want to become a CISO.

Over the past year, I thoroughly enjoyed my time at YL Ventures as their CISO-in-Residence, meeting brilliant entrepreneurs and brainstorming creative approaches for solving wickedly hard problems in cybersecurity. The team at YL Ventures is truly world class and I learned a lot about venture capital through the decisions that the partners made and the discipline that they showed in a red-hot market with rocketing valuations. I also had the chance to test my Cyber Defense Matrix to see if it can be used to find gaps in the market and promising investment opportunities. (It worked in finding gaps, but it'll be a few years before we see if the gaps were actually good investments.) Although the partners at YL Ventures graciously gave me the opportunity to serve longer, I felt that the CISO-in-Residence role is one that, in my humble opinion, deserves someone with fresher ideas and more recent scars from hard fought battles. And so, as I approached the end of a self-imposed one-year term, I kept an eye open for opportunities that would align well with my long-term interests...

... which didn't include becoming a CISO.

My interests did include finding more use cases for the Cyber Defense Matrix and the DIE Triad, but the longer that I stayed away from the heat of the battle, the more intense the feeling that my ideas were becoming more theoretical and less practical. Although the Cyber Defense Matrix and the DIE Triad were originally born out of practice, many of the newer use cases that I developed really only lived on PowerPoint and had not been tested in the real world. While many CISOs were excited by the possibilities when I shared these use cases with them, they simply did not have the time or engineering resources to put them into practice in their environment. My fellow practitioners needed an "Easy Button" so that they could put the use cases of the Cyber Defense Matrix and the DIE Triad into immediate practice. However, I realized that I cannot make it easy until I put the use cases fully to practice myself.

And so, I decided to become a CISO.

But not just at any company. I needed a way to turn my slideware into software. So, I wanted to join a company that had a working product flexible enough to incorporate my many use cases. I wanted to ensure that they would agree to open-source the use case implementation. I wanted to make sure that the founder shared the vision that I had. And most importantly, I wanted their product to be capable of automating the bulk of the CISO work for me so that I could spend more of my time doing what I really enjoy: discovering new use cases and exploring repeatable patterns/anti-patterns that can advance our field of practice.

I have found that company and it is JupiterOne.

Sounil Yu
Sounil Yu

Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

Keep Reading

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
Blog
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Blog
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

Why Better Asset Visibility Matters in Cybersecurity | JupiterOne
August 30, 2023
Blog
Back to basics: Why better asset visibility matters in your security program

At the most basic level of the Incident Response Hierarchy, security teams must know the assets they are defending.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.