Sounil Yu, CISO at JupiterOne, talks about imposter syndrome, communicating in business-relevant terms and pinpointing gaps in organizations’ security programs. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.
Lindsey O’Donnell-Welch: What have been some of the biggest lessons learned from your time in security thus far?
Sounil Yu: It’s normal to have imposter syndrome. In fact, if you don’t, you are probably fooling yourself. Our digital environments are extraordinarily complex and there’s no possible way that any one person can understand it all. It should be expected that we each individually will only deeply understand a small fraction of it. Nonetheless, we should strive to understand the bigger picture view of the interdependent parts of our environment because it is in those intersections where we most frequently see security issues.
Lindsey O’Donnell-Welch: What is important for cultivating a “security culture” in a business? Where do you start and who needs to be involved?
Sounil Yu: First, it’s important to promote psychological safety to reinforce a strong security culture. We want to invite people to point out flaws, find holes in our environment. We shouldn’t shun this because if we do, we shut down the willingness for others to raise seemingly minor concerns around unreported vulnerabilities and unanticipated threats. We want open dialogue with the business to ensure that we are fully aware of potential security risks and apply the appropriate level of attention to them.
Second, we want to distinguish between cyber safety and cyber security. To simplify the distinction between safety and security, it helps to put another descriptor in front of these words. For example, food safety practices include hygiene, third-party inspections, and checklists. Food security evokes concerns about the shortage of baby formula, poisoning of the food supply, and starvation. Food safety and food security are not the same.
Individual choices have a direct impact on our safety. For example, most of us know what steps we can take to improve our personal hygiene and are appalled when others neglect or ignore such simple steps. Security on the other hand, is often seen as someone else’s responsibility with the individual usually limited to a passive “see something, say something” role.
Safety requires active participation from everyone and most people embrace safety measures as a personal responsibility. Individuals can see how they can directly contribute to the improvement (or deterioration) of safety. We can promote a “cyber safety” culture through instilling a greater sense of personal responsibility and accountability among all organization’s stakeholders to maintain proper cyber hygiene by appropriately recasting many common cyber activities that we ask of others (e.g., patching) as actions to promote cyber safety.