Keeping tabs on the vast constellation of vendors in the cybersecurity space, what they do and how they fit into your overall defense strategy can sometimes feel like trying to count the stars in the sky. Understanding this landscape has never been more critical for businesses today, which is why Sounil Yu’s Cyber Defense Matrix is so valuable.
Yu, who recently took a new position as chief information security officer and senior vice president for research at JupiterOne, developed the matrix while serving as Bank of America's chief security scientist and further refined it as CISO-in-residence for cybersecurity venture capital firm YL Ventures. By mapping NIST’s five cybersecurity functions to the X axis and five asset classes (devices, apps, network, data and users) to the Y axis, it gives security decision-makers a clear, one-page visual representation of all the vendors they rely on, which cybersecurity function they fulfill and where there may be gaps in coverage. There’s also a third layer that tracks whether these functions are carried out by people, process, technologies or a combination of the three.
Users have been able to develop dozens of use cases for the matrix and it has received praise from former top cybersecurity government officials like Bryan Ware, former assistant director of cybersecurity at CISA and private sector CISOs like Fannie Mae’s Christopher Porter.
Yu’s matrix “has become a must-have playbook in modern information security programs for a very good reason: it provides an easy-to-grasp framework for CISOs and cybersecurity defenders and is the perfect tool for security teams to track and measure various components of a mature program,” said Ryan Naraine, director of security strategy at Intel Corp.
Yu's contributions to the broader cybersecurity community don’t stop there. He teaches at George Mason University, Carnegie Mellon University and Yeshiva University and led a working group for the Financial Services Information Sharing and Analysis group to develop better metrics. He also spent the past year sharing another framework, called the DIE Triad, which is used to measure and improve resiliency of security programs.
Beyond the security realm, Yu also worked as a volunteer CISO for Project N95, a clearinghouse designed to get personal protective equipment to hospitals, essential workers and other vulnerable populations.
Yu said in a blog he penned upon joining JupiterOne that he actually didn't want to become a CISO.
"I kept an eye open for opportunities that would align well with my long-term interests, which didn't include becoming a CISO," he wrote. "My interests did include finding more use cases for the Cyber Defense Matrix and the DIE Triad, but the longer that I stayed away from the heat of the battle, the more intense the feeling that my ideas were becoming more theoretical and less practical."
His fellow practitioners needed what Yu described as an "Easy Button" to put into immediate practice the use cases of the Cyber Defense Matrix and the DIE Triad.
But he couldn't do that until he himself put the use cases fully to practice.
"And so," he wrote, "I decided to become a CISO."