Sounil Yu of Knostic on the Role of a Modern CISO

Alright. Hello, and welcome back to another episode of the Modern Cyber Podcast brought to you by Firetail, leaders in API security. Find us online at firetail. Io. Please remember to rate, like, subscribe, share with your friends, etcetera.

I am delighted to be joined by somebody who really doesn't need much of an introduction, especially if you work in the cybersecurity space. I'm sure it's a very well known name, but I am joined today by Sounil Yu. Sounil is the cofounder at Gnostic AI, spelled knostic.ai. And, previously, Sounil was the CISO and head of research at Jupiter One as well as chief security scientist at Bank of America among other cybersecurity leadership roles. Sounil is a well known name, as I said, in the cybersecurity space.

He created the cyber defense matrix and the Dye Triad, which are reshaping approaches to cybersecurity. I know I find them in incredibly informative and helpful in terms of just shaping some product direction and things that we're doing over here at Firetail. I hope all of you are actually referring to them. Sudhil has an MS in electrical engineering from Virginia Tech, a BS in electrical engineering, and a BA in economics from Duke University. And just by way of disclosure before we dive into today's conversation, Sounil Yu is an advisory board member at Firetail.

Sounil, thanks so much for taking the time to join us today on Modern Cyber. Thanks for having me. So you've been through a number of large organizations in your career. You've been through a number of different roles. CISO, chief security architect, now cofounder at a company.

But I'm curious in your experience as a cybersecurity leader, leader in particular, how do you think about starting in a new organization? Like, you know, you just land on the ground. You're brand new at the organization. You're getting a bunch of cyber challenges thrown at you. How do you think about that?

What's what are the some of the first things you do, like 30, 60, 90 days in in starting a program? Well, so let me give you an analogy, and it'll help you understand, I think, how I I approach it as well. So let's say instead of joining an, an organization, you're asked to come in and, you're catering a nice dinner for this organization. Now imagine you come in and you're like, okay. I know what I know what my favorite foods are.

I this is what I enjoy. I'm gonna go make these foods, and that's what you offer. But you don't realize that, that half the your your, half the guests have gluten allergies or wheat allergies or milk allergy or, you know, dairy, whatever. You have all these allergies. You know, like and and people try the food and they help break out the allergies and they're discombobulated for the rest of the evening and they can't function.

Well, if you go into a business if you go into a new organization and you say, oh, you know what? I know how to do security because I've already done it in organization x, y, and z. And you go in and try to implement these controls, I think it's the same sort of scenario. You're coming in without really understanding the business and understanding who what the the composition of the business. And what you'll end up doing is basically creating these allergic reactions as you as you try to roll out these controls.

And ultimately, they're gonna hate you for it. Right? They're gonna be like, this person just wrecked my wrecked my stomach or wrecked my business. I can't do my work. I'm just gonna work around them.

I'm not gonna even eat their food. I'm just gonna ignore them because they keep serving me stuff that causes me, these allergic reactions. So I think it's really important for the first 30, 60, 90 days to really be about how do you understand the business and understand not just the allergies, but also things like their nutritional needs? In other words, what are the threats that are coming after this particular organization? How is this organization distinct in terms of, their threat profile?

So it's a combination of understanding their their allergies and their nutritional needs. And then from that, you can start designing recipes and acting upon those. And the recipes are what you would then, implement as your security program. But like I said, it's kind of foolish to go in with your own set of recipes without really understanding both the nutritional needs and the allergies of the organization. That's that's a very informed view of things.

And it's funny because, you know, in my experience going across, I don't know, 7 or 8 companies that I've worked for in my career, one of the things we see from the software development side, and I've been part of teams where this happened and I've seen it any number of times is it's almost like a trope. Right? A software developer comes into an organization, asked to work on a project, a piece of software, whatever, and it's almost a formula that, you know, the first thing they're gonna do is look at the code, say it's crap, and that they wanna tear it down and re rewrite from scratch. But that's not how you would approach it from the cyber perspective, I imagine. There's a there's a whole notion of the three letters, that you you get when you start a new CISO job.

You get three letters from your predecessor. The first letter says so you open the first letter when something bad happens, and the first letter says, you can blame me. You're part of the question. The second letter, when something bad happens, you open the second letter and says, blame the team. And then when something and when the on the third letter, when something bad happens, it says, write three letters.

Yeah. So there is a tendency for us to come in and say, this program, is so bad. My predecessor did a horrible job. Yes. You could take that sort of perspective.

But I think there's a different perspective of of having change in leadership, and it's what's it's there's a cognitive bias that we have around some costs. Yeah. We haven't we think that this is the solution to something, and we come in and we sink more and more money into the solution. And when you have a change of leadership, you have the opportunity to go in and say, wait. Wait.

Why are we still sinking money into this? It doesn't seem like we're gonna ever get a return. Should we actually can we get more benefit by putting it elsewhere? Now Yeah. You are disenfranchising those people who've been working on that project for a long time.

Yeah. Yeah. But that may be the right decision for the organization if you stay take a step back and say and have somebody without some cost bias come in and reevaluate the situation. Interesting. And from that perspective, I'm I'm there there's a question or a kind of an analogy that comes to my mind around that.

Maybe not an analogy so much as an observation, which is that very few people take that first bit of approach or that first bit of advice that you mentioned, which is to really try to step back and understand the needs of the business first to inform a strategy. They don't take that on a periodic basis in a lot of the investments that they make. And it kind of leads into the second part of what you're doing, which is the sunk cost fallacy, I guess, I would call it. You know, we've invested in something. We're not seeing problems with it, so we assume that it's working, but we don't actually ask ourselves the question when it comes to, let's say, renewal or continued usage of something as to whether that thing still corresponds to a need that we have or corresponds to something that is a legitimate threat, towards our organization.

How do you get people to think about that more actively or on a more regular basis? Sure. Yeah. The way I think about this is to think of it like a sports team. So for first of all, first, folks who know me know that I have this thing called the cyber defense matrix.

It's a 5 by 5 grid, 25 boxes. Right? But think of it like a sports team. I have a football team, and I can only field 11 players on the field. Of those 25 boxes, which are the 11 boxes I'm gonna cover for this coming quarter?

Yeah. Next quarter, where has the, the, offense moved, and how do I, adjust my defenses so that I'm positioning them in the right place? And I have to recognize that, I've committed resources to getting a defender in a particular box on the matrix, and maybe, I need to now move that. Right? Because I don't Yeah.

I can't add a 12 player. Yep. Yep. Consider the file. I don't have the money for that.

And so Yeah. Yeah. Where is the if I could reset every quarter, if I can reset every play at the end, you have a play, the very next play imagine how stupid of a, imagine how many football games you would lose if you just use the exact same, defensive line. For every single thing. Yeah.

Right. You have to constantly reevaluate the the situation and say, alright. I've committed time towards this particular this box, but you know what? It doesn't make sense for us to continue to, support that box. We should reallocate this resource elsewhere.

Now at the same time, if that reallocation, you're like you're putting the company in jeopardy because you you truly are short of resources. That's a different conversation. You can say, hey, management. Hook. You're there are we don't even have 11 players.

You hit you're only giving me 4 players and, you know, we're gonna the opponent's gonna score touchdowns over and over again because all I have is 4 players. Again, that's a different conversation, but one that at least, we can we can think through. And, again, the model and the the way of thinking is to say, imagine if you only had 11 players and you can move only those 11 players. I I think it's a great analogy. And, I mean, look.

You you look at sports teams and they have salary caps and, you know, take that to the organizational level. That's your budget. Right? And then you think about those players that you can't move. Those are your long term vendor lock ins that you have where you might have a 3 year commitment to a particular vendor, technology team, what have you.

The one thing that it brings to my mind, by the way, is that my next business idea is gonna be swapping contracts for vendors between organizations. So if, you know, Bank of America no longer needs EDR, we can take that EDR contract from them and assign it over to Discovery Channel and take the SIM from Discovery Channel. Anyway, I'm joking, but you you kind of see what I'm saying. Subletting security projects. That's a Or Subletting security products.

That's kind of funny. Products. Yeah. Yeah. Look.

There are secondary markets for almost everything in the business world when it comes to things like, physical assets, and there are even secondary markets when it comes to things like AWS EC 2 reservations, but not on vendor license thing. Anyway, it's a fun joke that kinda comes to my mind, but I love the analogy of the sports team because I think it really is actually very parallel to how you think about some of the constraints that you might have as an organization. I wish that organizations were more kind of behaved in that manner where they reevaluate it on a play by play or a quarter by quarter basis. Too often, I think I see that thinking doesn't really change in many organizations even from year to year. They just kind of hit repeat or they hit renew and kind of go with the same things.

Yeah. Yeah. You know? And that's the sunk cost bias. Usually, it's the sunk cost bias that's driving that because you've already committed resources, and you don't wanna feel like a failure.

Yeah. One of the other questions I have in terms of, let's say, starting a new cyber program is around emerging technologies. So, you know, during my time in the cloud security space, last however many years, one of the things that we saw was that, you know, security teams didn't really understand the technology platforms at first. And so what we saw in a lot of organizations is when we would go in to talk about cloud security challenges, we were very often talking to cloud people, not security people. And the security people would say, oh, what you're asking about, that's a cloud problem, not a security problem even though it was a cloud security problem.

And so they would point us over to a specialty team very often called, by the way, the Cloud COE, Cloud Center of Excellence. For whatever reason, that term caught on and it spread like wildfire across organizations, near and far. Do you see that as a common pattern? Do you see that as a good pattern, a bad pattern? And, you know, if you're a CISO of an organization today and we're in a wave of, like, a lot of extremely new technology coming at us very fast, How do you think about managing the adoption of new technologies or implementing starting to implement programs around emerging technologies?

Yeah. So here's an interesting pattern or evolution that we're seeing, and I've seen this across a number of organizations. So many people know that the CISO many CISOs report to the CIO. But in newer organization, there is no CIO. And if there is a CIO, they end up reporting to the CCO.

Like, woah. Yeah. What is that about? I've also seen CFO, by the way, reporting CIOs reporting to CFOs. Right.

And and, really, the question here is, what's the job of the c s CIO in a modern company that is largely SaaS based? Yeah. SaaS and public cloud. You don't really have physical infrastructure. Right.

What are they CIO ing? Right? And, effectively, what's happening is through SaaS and through cloud and through now all these AI initiatives, you have a different stakeholders that that's really driving the, creation and usage of, these business resources. So with SaaS, now your business partners are the people who are running operating SaaS are the business themselves. So same, again, with the AI infrastructure.

It's oftentimes the data team or somebody on the business side. And so as a result of that, this notion of the CISO, that this pattern that we're seeing repeat itself over and over again is ultimately your the the CISO, works with the owner of those assets, the owner and the the folks who manage those assets. So if your environment is largely SaaS, then you're now working more closely with the business because who manages and runs these SaaS applications? The business themselves. Who runs and manages these AI, tools and resources?

The business or the data team. And so that's what we're seeing. And I think that's that's this evolution. The it's, the the shape of the CSO role, is adapting to who owns the the underlying resources that are being deployed that that need to be secured. It's funny because, you know, I used to work with, somebody who said all IT goes in cycles.

You know? We we started with this, and then we went to the cloud, and then certain organizations came back, and then we went to edge cloud and, you know, just these kind of cycles and cycles. And the cycle that you just mentioned around kind of the convergence of the CIO and the CISO, hey. When I started in IT, there was no division between IT and cybersecurity. Cybersecurity was just one of the responsibilities we had in addition to infrastructure.

And and one of the things that I think, you know, people should remember is that the role of IT and security is to enable the organization to to go do what the business needs to do. Right? It is fundamentally an enabling function. And and by the way, enabling note, enabling not department of no. So for those of you out there who are in, you know, kind of living that stereotype, please think about what what it is that you're trying to accomplish.

I'm kind of curious. You know, we we talk about the shift in technology. We talk about the shift to the cloud that was greatly under the pandemic? And I'm curious just to if, you know, if you were to take the temperature of the room, do you think organizations have caught up to kind of the security debt that might have been incurred through this, like, mad rush to the cloud, or do you think there's still, like, a lot of catching up left to do? It seems like there's always technical debt wherever you we, we go.

There's a, there's a, Joseph Schumpeter Schumpeter. He described this thing called creative destruction. And creative destruction, are these waves of of technological evolution that basically just completely, makes all these other things obsolete and just removes them from becoming a problem. Actually, an example of that would be back in the late 1800. We had this massive problem with horse poop everywhere.

Yeah. And many cities were, like, drowning in horse poop, and they're like, what are we gonna do? We, you know, we can get all these shovels and keep shoveling horse poop, but they had this issue. But it got that whole the horse and carriage model, of course, got fully disrupted by through, technological evolution, and, it no longer became an issue just because we had new things to deal with. I think we're in that same sort of situation with AI.

AI has become the the new, creative destruction mechanism that's driving all this, all the forces of change or many forces of change and putting a lot of the things that we would have otherwise looked at the technical depth around the horse poopy fuel and saying, what are we gonna do with all this? But guess what? Something else is coming that's gonna, make those problems pale in comparison. Yeah. Yeah.

I think that's a great way to think about it. With the last question that I have for you today, I mean, there's a ton of emerging technology. There's also a ton of regulatory change, and we've seen for the first time kind of what some people have described. And I I can't remember if it was you or somebody else that we know who described the current situation as the Sarbanes Oxley moment of cybersecurity where there's personal liability on the line for chief information security officers. And I and I've talked to another guest, Anthony Johnson, about kind of how very often, there's kind of a what would he described as big c CISOs and little c CISOs depending on where they fall in the organization structure as we just kind of talked about.

How do you think about the current state of things for somebody considering a chief information security officer role? Yeah. It's, especially for a public company. It's it's a interesting challenge because, the the, Wells notice, and actual the the actions that were taken against Tim Brown at SolarWinds and the actions that were taken against, Joe Sullivan at, when he was at Uber, are deeply discardserting for a couple reasons and for a number of reasons. But the way I would characterize the why it's discardserting, let me use it again, yet another analogy.

So, previous listeners may have heard me talk about this, but this this notion of safety and security, the in many languages, they're the exact same word. In English, we have 2 words. In cybersecurity, we have one word again. And to understand the distinction, it helps to put words in front of safety and security. So for example, food security, you have things like hygiene, compliance, inspections, and so on and so forth.

And if I put the word airplane in front of it, same sort of concept. We we have, like, companies like Boeing and United and Delta. They have an obligation to maintain, airplane or aircraft safety by maintaining it by, fixing patches and all these other sort of things. But United and Delta are not responsible for airspace security. Right.

Meaning, if they get hit by a Russian or Chinese missile, is it really their fault if they're in US airspace? Yeah. That's not their job. It's the job of the US government to keep the airspace free and clear of US of, Chinese and and Russian missiles. And so if you have a company like SolarWinds who gets hit by a Russian missile, if you get hit by, if you're a company like Equifax who got hit by a Chinese missile, is it really who's who's who's liable for that?

Who should be liable for that? Because it it's a it's a situation where, let's let's presume for a moment that if they were doing their due diligence to keep, their aircraft, so to speak, well maintained or at least maintainable enough that it would not fall out of the sky on its own, then I think that would be the standard of care that we would look for. Their job is not to dodge missiles. Yeah. But to that point, I would almost argue that in the case of Equifax, they may have neglected some of their responsibility on that one.

I do I don't view them as necessarily the same level of sophistication. Okay. So let me offer let me offer a perspective on this one. And, again, it's it's I I could be entirely wrong in terms of, the specific details, but here's my indicator of what is actually happening. Now first of all, let's talk about those missiles for a moment.

What's a missile today becomes a bird strike in many years from now. Yeah. Boeing and, Airbus are absolutely liable for not surviving a single bird strike. Okay? Right.

If a bird strike takes your plane down, that is Boeing's fault. Okay. Yeah. At what point does a a Russian missile become a bird strike? Well, I think the sign of that is through the innovation that we see in the marketplace.

If you, if you have a SolarWinds type style attack and all of a sudden now you have a raft of startups that focus on software supply chain security, then guess what? It's that was a missile. And through the, the innovation that we see and the adoption of this innovation across the entire ecosystem, we will start seeing that Russian missile start turning into a bird strike. Let's go back to Equifax for a moment. Software bill of materials, software composition analysis, being able to understand what software do you actually have in your environment and where is it.

That that was a hard problem back then. I remember having the the the struggles that we had to try to find struts everywhere in our environment. It was very, very hard. Is it easier today? Yes.

In fact Yeah. I would argue today, if we don't have a software build materials, if we don't have software composition analysis, then you are negligent because those are equivalent of a bird strike today. I look. Very fair argument, and I didn't think about it from that perspective, but I I get where you're coming from. With with all of the landscape and the fact that you do have missiles coming towards you, you know, or potentially have missiles coming towards you, especially as you go into a larger organization, is it worth it taking the job?

If you pop it depends on how much compensation you get. Right? So if, if your job is to fly f c c f 16, jets where you will be shot by missiles on a regular basis, then hopefully, you'll get rewarded as such. And and there by the way, there are some organizations that have to operate that way. I I would certainly hope that Apple, operates more like Lockheed Martin and less like SaaS now.

Yeah. I think that's a great analogy to kind of end today's episode on. Sounil, thanks so much for your thoughts on the state of the CISO and on the state of kind of starting a security practice as a new organization. Thanks so much for taking the time to join us on Modern Cyber. Thanks for having me.