I didn't want to be a CISO - Sounil Yu joins JupiterOne

by

I didn't want to become a CISO.

Over the past year, I thoroughly enjoyed my time at YL Ventures as their CISO-in-Residence, meeting brilliant entrepreneurs and brainstorming creative approaches for solving wickedly hard problems in cybersecurity. The team at YL Ventures is truly world class and I learned a lot about venture capital through the decisions that the partners made and the discipline that they showed in a red-hot market with rocketing valuations. I also had the chance to test my Cyber Defense Matrix to see if it can be used to find gaps in the market and promising investment opportunities. (It worked in finding gaps, but it'll be a few years before we see if the gaps were actually good investments.) Although the partners at YL Ventures graciously gave me the opportunity to serve longer, I felt that the CISO-in-Residence role is one that, in my humble opinion, deserves someone with fresher ideas and more recent scars from hard fought battles. And so, as I approached the end of a self-imposed one-year term, I kept an eye open for opportunities that would align well with my long-term interests...

... which didn't include becoming a CISO.

My interests did include finding more use cases for the Cyber Defense Matrix and the DIE Triad, but the longer that I stayed away from the heat of the battle, the more intense the feeling that my ideas were becoming more theoretical and less practical. Although the Cyber Defense Matrix and the DIE Triad were originally born out of practice, many of the newer use cases that I developed really only lived on PowerPoint and had not been tested in the real world. While many CISOs were excited by the possibilities when I shared these use cases with them, they simply did not have the time or engineering resources to put them into practice in their environment. My fellow practitioners needed an "Easy Button" so that they could put the use cases of the Cyber Defense Matrix and the DIE Triad into immediate practice. However, I realized that I cannot make it easy until I put the use cases fully to practice myself.

And so, I decided to become a CISO.

But not just at any company. I needed a way to turn my slideware into software. So, I wanted to join a company that had a working product flexible enough to incorporate my many use cases. I wanted to ensure that they would agree to open-source the use case implementation. I wanted to make sure that the founder shared the vision that I had. And most importantly, I wanted their product to be capable of automating the bulk of the CISO work for me so that I could spend more of my time doing what I really enjoy: discovering new use cases and exploring repeatable patterns/anti-patterns that can advance our field of practice.

I have found that company and it is JupiterOne.

Sounil Yu
Sounil Yu

Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.