Skip to content
CTRLPhreaks » Captivate Podcasts » Safety vs. Security: Why Words Matter with Sounil Yu

Safety vs. Security: Why Words Matter with Sounil Yu

Summary

Sounil Yu, author of Cyber Defense Matrix, discusses the importance of terminology in cybersecurity and the distinction between safety and security. He explains how the Cyber Defense Matrix helps organize and identify gaps in security capabilities. He also introduces the concept of the D.I.E. Triad (distributed, immutable, ephemeral) and how it can reduce the impact of liabilities in cybersecurity. The conversation highlights the need to redefine the economic equation of cybersecurity from a cost to an investment. The talk explores the concepts of cyber safety and cybersecurity and how they relate to risk management and defense strategies. The guests discuss the importance of having necessary defenses in place, even for smaller businesses that may not be direct targets. They also delve into the three-line model and how it aligns with the cyber defense matrix. The matrix is a valuable tool for understanding the full scope of cybersecurity and making risk-based decisions. The conversation emphasizes the need for a common language and understanding between tech and audit professionals.

Takeaways

  • Terminology is crucial in cybersecurity to ensure clear communication and understanding.
  • The Cyber Defense Matrix helps organize and identify gaps in security capabilities.
  • The D.I.E. triad (distributed, immutable, ephemeral) can reduce the impact of liabilities in cybersecurity.
  • Redefining the economic equation of cybersecurity from a cost to an investment is essential. Having necessary defenses in place is vital for all organizations, regardless of their size or direct targeting.
  • The cyber defense matrix is a helpful tool for understanding the full scope of cybersecurity and making risk-based decisions.
  • Common language and understanding between tech and audit professionals are crucial for effective communication and collaboration.
  • Risk tolerance and appetite should clearly articulate and align with the organization’s goals and resources.
  • The cyber defense matrix can be used as an assurance map to identify controls and risk coverage gaps.

Chapters

00:00 Introduction and Background

06:18 The D.I.E. Triad

14:13 The Importance of Terminology

26:40 Risk Tolerance and Risk Appetite

35:07 The Role of Language and Common Understanding

Transcript

00:00:00:00 - 00:00:11:00

00:00:11:00 - 00:00:13:08

Clarissa Lucas

Hey, everyone. I'm Clarissa Lucas.

00:00:13:08 - 00:00:37:23

Bill Bensing

And I'm Bill Bensing. And this is a control freaks. So today, Sounil Yu, some of you may know of Sounil if you've read the book Cyber Defense Matrix. Amazing book. I like it. There's a lot of reasons. And some, as you know, I am a stickler for terminology and language, so I that's actually it was a couple of months ago, months ago, Sounil and I had a fun conversation and it was about terminology.

00:00:37:23 - 00:00:53:19

Bill Bensing

So stay tuned to listen and hear what more we have to say about that. But without further ado, I do want to take over a spotlight. But Sounil Yu so Sounil author cyber defense majors got a lot more too. But Sounil welcome and tell listeners a bit about yourself.

00:00:53:21 - 00:01:16:10

Sounil Yu

Yeah thanks. Thanks Bill. And I think just being here is I appreciate the opportunity so right now so my passes is, has a lot of different twists and turns but I wrote the book back when I was the chief scientist at Bank of America. And you may wonder, like, what the heck is that role? Well, in a nutshell, I describe it in a couple of different ways.

00:01:16:11 - 00:01:33:18

Sounil Yu

One was I tried to get fired every day, which was a great kind of job to have. But one of the main responsibilities I had was looking at all the new and emerging vendors that are trying to sell us stuff and trying to make sense of all that, to figure out are we missing something in our portfolio of capabilities.

00:01:33:20 - 00:01:53:09

Sounil Yu

And I this is, I know a refrain that many other of my peers have, which is we see all these products and it's just hard to understand what all these different security products do. And when all you see is what there is, it's hard to figure out if there's any gaps. And so my my job was to understand where those gaps were.

00:01:53:11 - 00:02:13:05

Sounil Yu

But I didn't have a structure. I didn't have a system to understand how to find those gaps. And so that's where the cyber defense matrix was born out of. I had this desperate need to figure out how do I organize this in a structured way so that I can see missing things and the simple structure for those who are not familiar with it.

00:02:13:07 - 00:02:40:11

Sounil Yu

It's a five by five matrix. There's five functions based on this obscurity framework, identify, protect, detect, respond, recover, and then five types of things that we care about devices, applications, networks, data and users. And so we end up at this, this, this bingo card, which helps us. I can organize lots of different things. But anyway, that's it. After bank of America, I left to actually try to write the book.

00:02:40:13 - 00:02:59:14

Sounil Yu

And I struggled. I struggled for I spent six months trying to write it, and I struggled because I had all these ideas for how I can put it to use. And I had put one of them to use, which was mapping vendors. But all these other use cases I had, I, I hadn't actually practiced. And so I said, you know what?

00:02:59:14 - 00:03:24:01

Sounil Yu

I need to go and practice them. And so I spent a year seeing if I can find new and emerging vendors, or rather if I can anticipate what should be new in emerging vendors. And so I spent time with Israeli entrepreneurs giving them ideas and saying, let's see if this may actually be a real problem, which was all predicted by The Matrix.

00:03:24:03 - 00:03:43:02

Sounil Yu

And it worked out anyway. It worked out really well. We'll see whether or not it will work out financially. Well, that's a different story. But in terms of being able to anticipate problems and validate that that this is a real problem in the market, it worked extraordinarily well. So then I said, okay, can I use it for other things?

00:03:43:02 - 00:04:05:10

Sounil Yu

Can I use it to run a whole security program? And so I joined Drupal organizer CSO to to run to design and run a security program based on the cyberdefense matrix. And I think that went well too. So but the point is, after having practice it, writing the book became much easier. And so that's kind of my journey over the past couple of years.

00:04:05:12 - 00:04:27:07

Bill Bensing

Now, in the book you have a really cool analogy on a brief for it. So as given the picture of the bingo card, the analogy you give in there was imagine if you walk into a grocery store with a list of groceries and it's just a big pile of food. You always that's how you compare to a bit of today's cybersecurity landscape is is this grocery store, this whatever it may be, of a food?

00:04:27:07 - 00:04:55:22

Bill Bensing

And I thought that was brilliant as you were putting this on it Jupyter wanted working with with the continent here. Could you I mean, how did you resolve that paradigm? I mean, it was a very interesting image that you painted and any adduction around that. So I'd, I wanted to dig a little deeper into that. Like, how did you use this to sort of better organize the the the supermarket.

00:04:56:00 - 00:05:18:18

Sounil Yu

Sure. Yeah. And by the way, just so it's clear, if you came up with a shopping list and all this saw was a pile of food, you'd have to go through the whole pile before you know if something is missing or not. Right. Because there's no other, you know, there's just no system. Otherwise. So it's really hard. And it's just most of the expo halls that we go to, it is that massive pile of food in the middle of the hall.

00:05:18:20 - 00:05:46:20

Sounil Yu

So even if you know what you're looking for, it's hard to find. Now, extending the food analogy maybe a bit too far. To answer your question of how I thought about how do we actually operationalize this to to create a security program. I also looked about looked at how do you use the Matrix to organize not just the ingredients, but also things like the recipes that you want to make, the nutritional needs that we have, the allergies that we may have to deal with.

00:05:46:22 - 00:06:11:13

Sounil Yu

Okay. So consider all these different aspects of how we do food. And of course, we have these things in place, but think about recipes as a compliance requirements. So if we have a number of things that we're mandated to do, those are our recipes. Nutritional needs can be thought of as threats. We have nutritional needs around ransomware, we have nutritional needs around fishing, we have nutritional needs around, you know, web based attacks and so on, so on.

00:06:11:15 - 00:06:33:00

Sounil Yu

So what does it what does that mean? And how do we ensure that we have the right set of controls and ingredients for that? And then lastly, on the algae piece, we all know that different people have different dietary restrictions, and so we can't necessarily impose a security controls on everyone and not suffer some sort of business impact.

00:06:33:01 - 00:06:52:07

Sounil Yu

So we have to understand we have constraints and limitations. And so even though I may want to lock up a computer and put in a in a brick, a concrete and thrown into the ocean, we know that's not going to be a useful construct for most businesses. It may be pretty secure, you know, but that's not really helpful for the business.

00:06:52:08 - 00:07:15:13

Sounil Yu

So understanding these allergies and organizing allergies, understanding the nutritional needs and organizing into the matrix, all these things about being able to actually put into the matrix and characterize in such a way that I can now process this in a more systematic way. What are the ingredients that we have? What recipes does it sort of satisfy? What are the nutritional needs at this meeting, what allergies I might need to avoid?

00:07:15:14 - 00:07:23:11

Sounil Yu

And anyway, it's it's a it's a nice construct that helps us put all these different disparate things into into order.

00:07:23:13 - 00:07:44:16

Bill Bensing

You know, it's that's a beautiful analogy. And the reason I like this is thinking through this cyber security for a lot of people, like tech in general is hard cybersecurity. Even for some the techie becomes hard. But relating it back to sort of like working out nutrition allergies, I think it's a wonderful model. Actually. Just yesterday I was listening to I think it was something on NPR TED Radio Hour.

00:07:44:18 - 00:08:08:00

Bill Bensing

There's an individual looking at like how much carbon a whale consumes. Like and basically looking at, is it like an investment? A whale could be an asset for carbon. And what he did fundamentally was change the economic equation from like instead of the cost of a pound of whale flesh. What is the asset value of keeping a whale around based on how much carbon they can pull out?

00:08:08:02 - 00:08:24:08

Bill Bensing

And I use that as a loose analogy to draw back to what you just said, because the question I have here is that for the first time, I didn't really think about looking at like a whale as an asset. And he said basically, like over the lifetime of a whale, like $3 million is what it returns as an asset every year.

00:08:24:10 - 00:08:47:01

Bill Bensing

And so when you did this was there because I know and this is why I'm a bring it back to cybersecurity Cybersecurity, nobody really and I'll say this I'll say this generically, nobody really cares. And I say that in quotes until something goes wrong. Then they really care a lot. And so it's almost like it's a cost up until it's not a cost.

00:08:47:02 - 00:09:06:14

Bill Bensing

With your matrix and with your experience where you able to redefine that economic equation. I mean, because I think about just working out health and fitness, like time invested in working out, that keeps you healthy over the long run. And there's a lot of empirical evidence to show you eat a certain way, you you stay active in a certain way.

00:09:06:19 - 00:09:23:20

Bill Bensing

You extend your life for, you know, you live a better life longer. So bring this all back around. Just think in the equation. Did this to be able to flip the economic equation such that people stopped looking at cybersecurity as a cost and start looking at it as more as a an investment and an asset. Did you see that?

00:09:24:01 - 00:09:45:17

Sounil Yu

Well, some of me I mean offer so we talked about terminology being pretty important and I've thought a lot about, I think a lot about the words that we use and even the word asset I've been actually bothered by, because if you think about the term asset and a balance sheet standpoint, it is on a particular side of the ledger.

00:09:45:19 - 00:10:02:08

Sounil Yu

And what's the opposite side of the ledger are these. So if we think about cybersecurity, most of what we actually see or how we typically see the world is not from an asset centric view. We actually see it from a liability centric view.

00:10:02:10 - 00:10:03:18

Bill Bensing

Okay, okay.

00:10:03:19 - 00:10:25:16

Sounil Yu

These resources, these devices, these applications, these networks, these data, these this users, if you think about it, if you're honest with ourselves, there are more liabilities than they are that we see as security people. We see them as attacks or offices. We see them as liabilities. you don't want you don't want to get rid of all these devices, Right?

00:10:25:18 - 00:10:48:10

Sounil Yu

Okay. Yeah. Like life would be so much more secure if you had no users. Right. And so anyway, of course, that's not realistic. So the perspective nonetheless, is I think our perspective is that it's more liabilities. So what does that mean? It also means that we don't want to carry these liabilities or we don't want to continue to.

00:10:48:12 - 00:11:22:05

Sounil Yu

We want to we wanted to dispose of these liabilities as quickly as possible. And as a crew, if they're if they're neglected, then they accrue additional hazards and additional concerns. Even in financial terms, there's things like what's called impairment. You know, there's things that limit our ability to address concerns. So our inability to patch something at liability. In other words, there's an impairment function that we use and for that finance terminology, that really lends itself well.

00:11:22:11 - 00:11:35:21

Sounil Yu

So anyway, my bottom line is that we have this word asset that we use and maybe we're actually it's a misnomer. It really maybe we may want to think about this as a liability and less as an asset.

00:11:35:23 - 00:12:06:20

Bill Bensing

All right. That's interesting. So in the reframing, I see you're going there. So it's like you said, fundamentally the first principles, it is a liability because it's an attack surface. So by definition, it can't necessarily be an asset. But to your point, reducing the impact of that liability or making that liability less, I don't know what if something's more liable, but like there's this it's almost like reducing like if liability had a number between zero and one, take it from one down to as close to zero as possible, like you may never get rid of the liability, but you can reduce its impact on the balance sheet.

00:12:06:22 - 00:12:10:06

Bill Bensing

Is that a is that another way of stating what you just said?

00:12:10:08 - 00:12:39:05

Sounil Yu

It is? And one of the one of the discoveries I had with the cyber defense matrix or the cyber defense matrix led me to another discovery. It's called the digi triad, and that the triad stands for distributed and mutable, ephemeral. And the perspective is the more distributed, immutable and ephemeral Something is, the less value it has okay to the business and to the attacker.

00:12:39:07 - 00:13:08:11

Sounil Yu

And so what we want is actually assets that have very little impact if they were to be compromised, if an asset is distributed, immutable and or ephemeral, if it's very short lived, if it's, you know, widely distributed, if it's unchangeable, then it tends to have more value. So conversely, if it got compromised, if there were if it were to consider the flipside of that, there's lower liability if that asset got compromised.

00:13:08:13 - 00:13:21:15

Sounil Yu

And so to your point, how do I reduce that from whatever number it is to closer than zero at one one way one way to do that is by having systems become more distributed, immutable and a femoral edge.

00:13:21:17 - 00:13:29:04

Bill Bensing

Okay, so this is okay. I love having conversation. It gets it gets me going out to be going for like next two days.

00:13:29:05 - 00:13:31:17

Sounil Yu

Lots of business. Yeah.

00:13:31:19 - 00:13:55:08

Bill Bensing

But you so die distribute ephemeral, immutable. But you talked about words and terminology and like, I have a lot of professional crushes on people because of the way they speak. And when you talked about identify versus detect and just the way you put words to thoughts, I have had a had never been how to verbalize. But tell me like your view on terminology and share with our users.

00:13:55:08 - 00:14:20:12

Bill Bensing

Like in the end you talk about in your book as I believe it's chapter two, the two chapter called Terminology and Identify versus Detector is an example, but could you like why is this important? And as you put the defense matrix together and you were working with it, what sort of epiphanies or realizations or probably your instance that the evidence to validate your assumptions, did you come through with this real succinct focus on terminology?

00:14:20:12 - 00:14:42:15

Sounil Yu

Sure, yeah. So the words identify and detect are for the most part synonymous in the English language. But in the this type security framework, they are distinct in terms of their function. And so because the the words are synonymous in Angle's language, we confuse the functions because they have been to have the these words that were against Anonymous.

00:14:42:17 - 00:15:01:21

Sounil Yu

In fact, it's that problem is particularly exacerbated in the this cyber cybersecurity framework document itself because guess what nest for whatever reason in defining the word identify, uses the word detect and the defining the word detect uses the word identify like,

00:15:01:23 - 00:15:03:12

Clarissa Lucas

To make it more confusing, right?

00:15:03:14 - 00:15:30:13

Sounil Yu

Yes. So I had to say, okay, look, there has to be a clearer distinction between the functions of identifying detect because we confuse it all the time in all language and marketing, literature and all of these different things. But there is a fundamental difference. And one way to think about the difference is to understand, is this something that happens left of boom or right of boom, whatever the activity is.

00:15:30:15 - 00:16:06:17

Sounil Yu

So boom, first of all happens between protect and detect and then this type of screening framework. So identify, protect, detect, respond, recover between to detect is a boom of some some undesirable event. Another question is, is it happening before or after that? Well, let's consider the word vulnerability. Are we identifying vulnerabilities or do we detect vulnerabilities? Okay. And if you look at the new cybersecurity framework, again, version 1.1, they define, they say we should be detecting vulnerabilities which are again, upon most people looking through it.

00:16:06:17 - 00:16:34:03

Sounil Yu

They would say, well, I mean, sure, we do that all the time. Right. Except the the word detect in this case refers to a right of boom event when instead actually a weak vulnerability is something that you try to do before boom occurs. Right. So the appropriate term to use is actually identify, not the word detect. And again, it's a simple construct that says as is happening left or right, a boom is a happening before something bad happens or after something bad happens.

00:16:34:05 - 00:16:57:13

Sounil Yu

And if we were to just even abstract out the names, identify, protect, detect, respond, recover, enter function a function be function C, function D and function E. Is this something that will happen and function A and B or a function cDNA Okay. And it's clear it's going to happen before something bad happens and therefore it's properly aligned with the word identify.

00:16:57:15 - 00:17:05:11

Sounil Yu

Anyway, that's it's a simple constructs that help us really be consistent in our terminology.

00:17:05:13 - 00:17:43:07

Clarissa Lucas

That is incredibly helpful. And so I've been an auditor for a while and familiar within the cybersecurity framework. But the way that you explain that is right or left like that is so simple. And that's kind of my mind needs to simplify things. So that's really helpful. So while we're on the topic of the importance of terminology and two words that are sometimes used synonymously but have distinct meanings, and you talk a little bit about the difference between safety and security, because these are also things that I think sometimes we use to mean the same thing but have very distinct differences.

00:17:43:08 - 00:18:08:06

Sounil Yu

Yeah, and in fact in many foreign languages, Spanish, Chinese, Russian, I think the word for safety and security are the same word. So in many languages it's the same word, which means that as far as they're concerned, they consider it to be synonymous in English. We have two words safety and security. In cybersecurity, we have one word again.

00:18:08:08 - 00:18:44:05

Sounil Yu

So then the question is what parts of cybersecurity are actually cyber safety and what parts are actually cyber cybersecurity? Okay. And using again that the analogies are super helpful here. So let's use a food analogy. Well, what is food safety? Food safety is hygiene, compliance, inspections, good practices, personal responsibility. Right. And we oftentimes say compliance doesn't equal security while maybe it's because safety doesn't equal security.

00:18:44:07 - 00:19:09:07

Sounil Yu

And yet again, in many languages, we want them to be the same thing. But in security as are in the English language, I think there's a distinction there. Let's consider another analogy. Aircraft or airplanes. So what is airplane safety all about? Well, if I'm Boeing, if I'm united, my job is to make sure that the plant is maintained, it stays up in the air, doesn't fall to the ground on its own is my job, as I say.

00:19:09:07 - 00:19:36:01

Sounil Yu

So air space safety, security is it my is my job. Airspace, security or cyber security? Okay. Cyberspace security. Whose job is that? Actually, it's the government's job to ensure that. So if I get if I'm Boeing or United and I get hit by a Russian missile, it's because their airspace is full of Russian and Chinese missiles.

00:19:36:03 - 00:19:44:22

Sounil Yu

Whose job is it to keep the airspace clear and free of Russian and Chinese missiles? And I would say that's inherently a governmental job.

00:19:45:00 - 00:20:14:02

Sounil Yu

So this distinction between safety and security, again, it's another two terms that we seem to conflate a lot. But if we consider them as distinct, separate things, it helps us really refine what is our responsibility on the on the corporate on the practitioner side as it relates to safety. First is what are the responsibilities that really are someone else's responsible, you know, someone else's governmental functions around security.

00:20:14:04 - 00:20:32:04

Clarissa Lucas

And so in a in a more general term and we're talking about cybersecurity, is that kind of the distinction between safety and security as to what is the organization's responsibility versus what is responsibility externally? Is organization, or is there a different distinction?

00:20:32:06 - 00:20:56:00

Sounil Yu

Well, it goes let's let's use some of the examples that we've seen in the past with SolarWinds or Equifax. Equifax got hit by a Chinese missile. They tried to, you know, keep their environment clean. And while they were actually actively looking for struts and just missed it. But that's at the same time you had an adversary that shot a missile at them and they got hit by it.

00:20:56:02 - 00:21:25:01

Sounil Yu

So Luhansk got hit by a Russian missile. Okay. So the question is, is that SolarWinds fault? Is that Equifax's fault? Were they doing their basic due diligence to ensure that their airplane wouldn't fall out of the sky? Now, there is a degree to which I would say what was a Chinese missile seven years ago, seven, eight years ago for Equifax is now the equivalent of a bird strike today.

00:21:25:03 - 00:21:47:11

Sounil Yu

If you're a Boeing, if you're united, you are, you definitely have to watch out. You are obligated to be able to deal with a bird strike. And so today we have basic best practices around software building materials, software composition analysis, tools that are readily available for you to know exactly where you have software that needs to be patched in your environment.

00:21:47:13 - 00:22:11:02

Sounil Yu

If you don't have that and you would say, look, that's that's a safety issue and I'm going to audit you for those safety issues. However, with SolarWinds three years ago, we had essentially the equivalent of a Russian missile and right now it is still not quite a bird strike to say your software supply chain has to be secured in this particular way.

00:22:11:02 - 00:22:35:14

Sounil Yu

We all know it's it needs to be addressed, but we don't have those tools and practices well understood and honed. So from an audit standpoint, what kind of expectations should we place on those who for which there isn't a well-established practice yet? Okay, Once it becomes a well-established safety practice, I buy by by all means, please audit the heck out of us for those things.

00:22:35:16 - 00:22:49:18

Sounil Yu

But if we're not really sure how to deal with this today, then you know, should we be putting obligations upon the practitioners to to deal with what are fundamentally more security issues and not really safety issues?

00:22:49:20 - 00:23:05:22

Clarissa Lucas

That's helpful. And as what I'm also learning from this, too, is that line between what is safety versus security is changing and probably changing more rapidly now than it has in the past. Too tough to keep up with it.

00:23:05:23 - 00:23:16:16

Sounil Yu

Yeah, Yeah, it definitely shifts. Right? So there are again, what was a missile strike seven years ago will gradually become a bird strike. What's the what's the pivot point. Right.

00:23:16:20 - 00:23:17:15

Clarissa Lucas

Right.

00:23:17:17 - 00:23:39:20

Sounil Yu

And then they also offer there are, of course, that Lockheed Martin's and the General Dynamics of the world. If you're Apple, you need to be able to survive missile strikes and we hope they can survive this strikes, right. We all know they can do that. You know, if you're a certain class of company where you know you're going to be shot at with missiles on a regular basis, then you better have those necessary defenses.

00:23:39:22 - 00:23:58:03

Sounil Yu

Bank of America, we felt we were of similar class to have to deal with those things. But at the same time, if you're not well, I mean, not everyone has the kind of budget or resources to be able to do that. Defending against missile strikes is interesting.

00:23:58:03 - 00:24:22:04

Bill Bensing

So hearing you talk about the safety and security and like thinking about these terms, like ultimately there's always going to be missile strikes no matter what. We have to get there. And this is where you learn security. Security is all about how do I identify and protect against these missile strikes? And I don't know what it's going to be, where it's going to come from, but I can with some degree of probability, there's going to be something.

00:24:22:04 - 00:24:48:12

Bill Bensing

And over the near future, far future coming my way now, as you pointed out, depending upon the companies, some of them are really going to have their their missile defenses down extremely well. Big financial or big other institutional companies like you talked about Apple, like, you know, they're their target. So when you know you're a target, you're like, all right, I got to I'm going to have some nation state level defenses around my my system broadly speaking, to ensure that now let's go the opposite way.

00:24:48:12 - 00:25:06:01

Bill Bensing

We're only small, medium sized business. They're not necessarily being directly targeted with missiles at the end of the day, they're just not that type of dare. The investment to send the missile the way is just not worth the is not worth the return on investment. Right. But from a safety perspective, there's a lot of other people out there.

00:25:06:01 - 00:25:29:15

Bill Bensing

So this is where sort of the idea of safety comes in. So like as people have been struck by missiles and standard practices evolved to identify and then and then identify and then detect it, whether it's before post boom, that's where then the safety comes in. So for listeners out there, small, medium sized business listeners, we start thinking about cybersecurity.

00:25:29:15 - 00:25:57:20

Bill Bensing

Now, Suniel me on the hand, if I see this from a like cyber safety is that I mean, I don't want to put a buzz term out there because God knows, like, you know, if our podcast is that popular, it could go wildfire tomorrow. Cyber safety versus cybersecurity. But like if you were to put that word cyber safety versus cybersecurity out there, cyber safety is have you adopted the practices to ensure that the stuff we know that can happen, whether it's a high probability of happening to you or not, we know it can happen.

00:25:58:00 - 00:26:18:08

Bill Bensing

That and this is becomes like question your world can be audited. Those are things that are deterministic, whereas cybersecurity is is probabilistic. It's a defense mechanism. So show me what you're doing to defend yourself. And then I feel like that's that's key because there's a lot of companies like you talk about albums and software composition analysis. Software supply chain has been around for a while.

00:26:18:13 - 00:26:50:19

Bill Bensing

All of a sudden post SolarWinds people care a lot about it, and to a large degree it's like, well, just do software composition analysis, like you said, like Equifax. They're still trying to find their struts and they were doing everything they could, but they still some somebody else found it before they did. So if think it's the perspective as I bring this around into like more of a coherent like thought for the listeners, the real perspective is asking should your tactics be If you think on a spectrum of cyber safety and left in cybersecurity the right side and just sort of a mix of the other and a dial that goes from left to right,

00:26:50:21 - 00:27:00:05

Bill Bensing

should somebody be ask themselves, should it be more towards the cyber safety side and more towards the cybersecurity? Is is that a is that a way is that a good way of tactically thinking about it?

00:27:00:07 - 00:27:25:04

Sounil Yu

Yeah. So the way I've thought about it in the context of the cyber defense matrix is that the activities that we tend to do left of boom are more sci fi cyber safety oriented, okay? And they articulate a set of best practices and expectations around, you know, basic preventative controls. And if you think about, again, food safety, there's there's a lot of preventative controls that we have for food safety.

00:27:25:06 - 00:27:53:02

Sounil Yu

You can have as much food safety as you want, as many preventative controls as you want. But will that prevent somebody from an adversary, an active adversary, coming in and poisoning your food? Okay. And it won't right now. Will it help you know that if it was poisoned versus you had a poor safety practices, if you have really good safety practices, you can quickly rule out, okay, it wasn't because of poor safety practices.

00:27:53:02 - 00:28:19:16

Sounil Yu

It was because of a deliberate, malicious, whatever it might be. And I think that's really the goal that we would have to say if we have really good safety practices or safety practices, then it helps us really quickly isolate that these events, these these boom events to be one of true malice from an external adversary versus one where it was just, you know, someone flipped the switch by mistake and, you know, something bad happened.

00:28:19:18 - 00:28:53:06

Sounil Yu

Right. So I think at the end of the day, having good safety practices contributes to isolating cybersecurity issues. But I do see them as being distinct and it's it's it's not a probabilistic thing as much as it's a, again, willful intent, intentional malice being introduced, which again, is hard to have preventative controls against malicious actors that are intentional at coming up with clever ways to bypass stroke controls.

00:28:53:11 - 00:29:18:00

Sounil Yu

Right. we, we should have auditors come in and expect that we have considered the basics around then the, you know, well understood practices and well understood attack techniques. But a like ransomware as an example, at this point, ransomware is a bird strike. Okay? But the kind of attack that happened in SolarWinds is definitely not a bird strike.

00:29:18:01 - 00:29:35:07

Sounil Yu

and so having auditors come in and hold us to account for those type of things that are better at this point, missile strikes is just unfair. but having us held to account for those that which are bird strikes are as absolutely fair game. The real question, as Clarissa mentioned, is at what point does it become a bird strike?

00:29:35:07 - 00:29:44:21

Sounil Yu

And, you know, I think the standards of practice, we have to figure that out and ensure that we are holding people to account, but not too early and certainly not too late.

00:29:44:23 - 00:30:15:22

Clarissa Lucas

And so I think that's a really good transition into One of the other things that we wanted to talk to you about is kind of a cyber defense matrix. And we just talked about safety versus security and how that kind of fits into or plays with organizations leveraging the three lines model. And just a real quick for our listeners who aren't as familiar with the three lines model, it's a it's a visual representation of three different lines within an organization.

00:30:15:22 - 00:30:52:13

Clarissa Lucas

It used to be called the three lines of defense model, but an institute internal auditors revise that. That's probably been two years ago maybe, I think it was in 2021 to just talk about just the three lines. So first line being management that's ultimately accountable for the risk. Those are the groups that are typically performing controls. Second line being more of a risk management risk assurance type function compliance, QC, hire those types of roles that are more setting the expectations for risk management and then providing typically some level of assurance over those controls.

00:30:52:13 - 00:31:12:20

Clarissa Lucas

And then you have the your third line, which is internal audit, which is that independent lens providing assurance to typically the board of directors or the audit committee. So sorry I went down that rabbit hole. But the three, the question is, is more how do these concepts play with or relate to the three lines?

00:31:12:22 - 00:31:38:11

Sounil Yu

Yeah. So at Bank of America, we of course had that three lines of defense as well. I'm not sure if I can represent all three lines extraordinarily well in the cyber defense matrix, but there is another part of the cyber defense matrix that I haven't talked about, but it's actually a really fascinating part of the matrix. So at the bottom of the Matrix, I show this degree of dependency between people process and technology.

00:31:38:13 - 00:32:04:19

Sounil Yu

Now I'm actually changed the word process where I've, I've, I've modified the word process to put process slash governance. And for those who are familiar with the upcoming release of this cyber security framework, they're adding a function called governance. And I actually disagree of having another column for governance. I think governance, as much as process is something that transcends all functions.

00:32:04:21 - 00:32:25:19

Sounil Yu

And the question that we're really asking is how do we know that these processes, these activities that we're doing, these functions that we're performing are the right set of functions, and that they're actually accomplishing the goals that we have in mind? And so at some level, whether it's the second line or third line function, I see a lot of that represented in that process.

00:32:25:21 - 00:32:48:18

Sounil Yu

Slash governance part of the matrix. I haven't really distinguish which one would be second line versus first line, but a second line versus third line. But the but the first line, of course, is like what's in the each of the actual boxes. And then the second line comes in and lives above all that say, okay, are we actually doing what we're supposed to be doing?

00:32:48:19 - 00:33:21:07

Sounil Yu

And then again, an audit function that can come in and and and they pick out those things anyway anyway. So but the, but the perspectives of how we of how that is divided up is not entirely clear. I haven't I haven't articulate that very clearly in the Matrix, but at least in the context of having the process governance function or activity that transcends all of those activities is something that I've put in as a part of the model itself.

00:33:21:09 - 00:33:43:09

Clarissa Lucas

And so when you were talking about use cases earlier between that and what you just said here, I had had some thoughts. So maybe this helps answer some of the question from an audit perspective or a third line, third line perspective, potential use case that I see with this is from a third line or even a second line is using it as an assurance map.

00:33:43:11 - 00:34:08:10

Clarissa Lucas

So I love what you said earlier. You said when all you see is what is there, it's hard to see if there's any gaps or see if there's anything missing, which is like, I'm going to put that as a Post-it note on my monitor here to remind myself of that. Because, you know, a lot of times when we go into spaces as an auditor, we'll look at what controls do you have in place, and then we'll test the effect of the effectiveness of those controls.

00:34:08:12 - 00:34:28:19

Clarissa Lucas

But if we go with that control first mindset rather than a risk first mindset, we could be missing an opportunity to identify controls that don't exist where there are risks. So we just have here's these two controls. We're going to tell you whether those are effective, which is incredibly valuable. But there's also the value of here's this risk.

00:34:28:19 - 00:34:46:11

Clarissa Lucas

What control do you have in place to manage that risk? And if the answer is we don't, that's an opportunity to provide that value there. But to your point, if all you if all you see is what's there, you're missing that opportunity to have to identify gaps there. So sorry, circling back to that, because I thought that was really cool.

00:34:46:11 - 00:35:12:14

Clarissa Lucas

And I think that's something that the the cyberdefense matrix can help with from an audit perspective to of here are the expectations are here are risks that the organization might face and not just from a this cybersecurity framework perspective, but broken down by the different assets or liabilities or pieces of technology or areas along the the Y axis.

00:35:12:14 - 00:35:24:20

Clarissa Lucas

There. And then using that as an assurance map to see where do we get coverage from an audit perspective to identify whether there's coverage of those risks by the first and second lines.

00:35:24:22 - 00:35:56:10

Sounil Yu

Yeah. So there's a so in behavioral economics, there is a cognitive bias called narrow framing. And narrow framing is is really that what you see is all there is sort of view of the world. And we have again, a cognitive bias that we naturally do this on a regular basis. The cyberdefense matrix was intended to provide a broad framing way of looking at the whole world to say, Here's all the things that, here's the, here's the range of options and range of considerations.

00:35:56:16 - 00:36:20:14

Sounil Yu

Yeah, now we may choose. So actually and there's 25 boxes in the cyber defense matrix. Think of it like a football team. I can only pick 11 boxes. I can't, I can't afford another player. In fact, it's it's a penalty. If I put a 12 player in there, if I try to check 12 boxes. So the question is which 11 boxes are you going to cover at the expense of 14?

00:36:20:14 - 00:36:41:05

Sounil Yu

The other ones, Yeah. Okay. So in other words, we know we only we're limited in our resources and we need to be very deliberate. May I call it a risk manager approach, right. To say where we're we're taking risks here because we think there's a greater risk there. Now, you come in as an auditor and all you see is the 11 controls.

00:36:41:05 - 00:36:56:08

Sounil Yu

You're like, okay, well, surely that's all there is, right? And then of course, the answer is no. There's a lot more things that we have to worry about. But I think it's a really useful the question that come in and say, well, what give us a reason why these controls weren't included? And there's there's a perfectly rational reason.

00:36:56:10 - 00:37:32:01

Sounil Yu

There may be a perfectly rational reason for that. What you don't want is for them to say, I hadn't considered that at all. Right. Right. Because now you're like, okay, well, then that may completely refactor your prioritization for all these other controls. What was the cyber defense matrix helps us to do is to say, look, here's the full space and I might deliberately choose not to put controls in certain places because of these reasons, but we at least acknowledge that there exists a need, a potential need for controls here which will risk monitor until, you know, time that their proper time comes around.

00:37:32:03 - 00:37:59:06

Sounil Yu

But at least we've we know that we're not missing something. Okay. And that's that's I think that's this broad framing view of the matrix is one of the things I have found to be really useful. It gives us the full scope or space of what to consider and that way what you see is not all you get. It's, it's you have the broader, you know, the, the, the complete framework gives you that that holistic view.

00:37:59:08 - 00:38:20:22

Clarissa Lucas

And when I hear that, I think of articulation of risk tolerance. So it seems like a helpful way to have that conversation about risk tolerance and risk appetite. We're intentionally choosing not to spend the resources on these risks because we have decided that we can tolerate that risk here. But we're not willing to tolerate the risk in these areas.

00:38:20:22 - 00:38:27:15

Clarissa Lucas

So I think that's another another important use case scenario for the matrix.

00:38:27:17 - 00:38:44:04

Sounil Yu

Yeah. And you know, people scored on the defense ends up all the time and the coaches asked why did you do it that way? Well, you know, at the time, this is best we knew. Right. And we made a risk management decision at the time. Why did you get a compromise? Well, here's what we knew at the time.

00:38:44:04 - 00:38:57:21

Sounil Yu

We believe this and maybe we're wrong, but at least provides a defensible reason as to why you're making the decisions, the tradeoffs that you're making.

00:38:57:23 - 00:39:34:22

Bill Bensing

You just you hit something there. The defense, for reasons and like listening to you talk about risk tolerance versus I've think I've just the word sake, I'm interested in this conversation because what you just said there is if and it very critical because like in a world where everybody wants to have zero defect, which never happens in a world where Six Sigma is truly way too expensive, like the envisat two or three sigma, What you're talking about here is I think is very keen for everybody to listen to because it's not like, am I am I completely buttoned up because that's not the right answer.

00:39:34:22 - 00:39:50:05

Bill Bensing

My completely. But then like you pointed out, like we have this to go with the Matrix, you have these 28 boxes. The question is, have you thought about all the 28 boxes and have you said, here's so I'm investing because I have a limited set of resources and I love how you bring behavioral economics into this. Like, have I thought about these resources?

00:39:50:10 - 00:40:05:18

Bill Bensing

Have I addressed my biases to ensure that these are the proper tradeoffs for what we're trying to do? And then outside the controls for the 11, the explanation for the subsequent, what is that 20 or the other one for 23? I get.

00:40:05:18 - 00:40:09:18

Clarissa Lucas

Bad taste. Actually, we don't we don't math on this on this podcast, though.

00:40:09:20 - 00:40:30:02

Bill Bensing

But but I think that's critical because like I look at what's happening right now, the SEC and Tim Brown and the folks like and it's like some of the stuff you're seeing is very interesting. Like maybe their lawyers get a hold of this. It helps with of their argument. But like you think they I'm like, you know, CISOs are going to be put on a spear and every time like now it's a very politically expedient way to diverge from other things that are happening.

00:40:30:02 - 00:40:53:02

Bill Bensing

Like, look at that, See? So they got hacked and it's like, hold on a second. Here is our here's our chart. There's actually a a chart called Wigmore Chart. Wigmore chart actually charts a it was developed in the early 1900s a a professor by the name of Gene Goodwin actually we brought it up making it mid eighties nineties wrote about it but it charts illegal arguments and the strength and the weaknesses of a legal argument.

00:40:53:07 - 00:41:06:01

Bill Bensing

And so like it's funny because as I look at some of the stuff from the governance and hearing background what I'm really trying to do is like how do you chart a legal argument at the end of the day that you're doing what you've done and I love what you've talked about, what you have just brought up because it's like my mind's blown on this one.

00:41:06:01 - 00:41:22:19

Bill Bensing

Like, how is it how can combine some of the stuff? Because nobody's nobody's saying you, here's your risk tolerance and all this other type of stuff is like, listen up, There's a probability something bad is going to happen. You have to accept it and you have to like know what's going to happen. But like, let's be very clear about where we're going to draw the lines of where we expect it to happen.

00:41:22:21 - 00:41:47:10

Bill Bensing

And let's be very clear with our controls and very specific and deterministic on where we don't want it to happen. And that's that's our strategy. And guess what? Like he's pointed out, like every once in a while, a gets fast pass a defense way, there's always a probability of something happening. Now, what did we learn from that? Do we have to generate a new do we have to bring something from the security into the safety realm like then you have the questions, the post hoc questions there.

00:41:47:12 - 00:42:13:09

Bill Bensing

With that being said, I didn't get in at time. Wow, this flew by quick. It it's still out. Let's let's let's review the last. So for our listeners as we've gone through this, what is probably knowing that it's the tech geeks and the it's the audio geeks and we're trying to bridge that gap. What's some advice that you can give folks on both sides to help, especially with things like the cyber defense matrix?

00:42:13:11 - 00:42:20:22

Bill Bensing

Another other thought, you haven't had a better approach, this analogy to cyber safety versus cybersecurity.

00:42:21:00 - 00:42:48:01

Sounil Yu

Well, you hit upon an earlier I mean, we are all trying to work towards a common goal. And even though it may seem adversarial at times, you know, we're trying to all try to make things better and unfortunately, it this manifests in many different realms, whether politics or social dynamics or whatever. But we talk past each other in terms of language and being able to speak on the same level is actually, I think, really important.

00:42:48:01 - 00:43:11:18

Sounil Yu

So having common language, common understanding, common definitions is useful. To that end, let me let me leave one little bit of advice for those who are who are wanting to use the cyber defense matrix. So I just if I if I pulled up Google Maps and I said, hey, I mean, Google Maps is really useful, right? can you tell me how to get to the bathroom in your building using Google Maps?

00:43:11:20 - 00:43:33:13

Sounil Yu

And of course you can't, right? It's the wrong model for that specific task. As useful as it is, it's the wrong model. So the cyberdefense matrix is useful. I think it's useful and I found tons of different use cases for it and there's a lot more that I have dreamed up. But that said, it's not useful for all use cases.

00:43:33:14 - 00:43:58:14

Sounil Yu

It's something that I think has been really useful at this very strategic 50,000 foot level and but it has failed in its utility at a 1000 foot level. And it's just something to be mindful of. And this is something that again went back to language for a while. I used to be really irritated when people would use the word risk wrong, okay?

00:43:58:16 - 00:44:20:20

Sounil Yu

They would use the word risk. And I would say that's not the word. That's not using the word risk wrong, because that's not what I understand to be risk. While it turns out and if you're traveling at the 50,000 foot level directions or given as north east southwest at the 1000 foot level, the directions are given as left, right, straight.

00:44:20:22 - 00:44:46:21

Sounil Yu

Okay. Directions like risk uses different language at different altitudes. And I have to just recognize that and we have to recognize that and say, let's make sure that we understand what we think we should. We're using at the right altitude, even though we may be using the exact same word like risk. Let's make sure that we understand what altitude we're operating at and then how to use that terminology properly.

00:44:46:23 - 00:45:00:04

Clarissa Lucas

And I think that would solve way more problems beyond just what we talked about today. But I see that as a common root cause of a lot of different conflicts in in organizations.

00:45:00:06 - 00:45:01:12

Sounil Yu

Absolutely.

00:45:01:14 - 00:45:10:05

Clarissa Lucas

Though. So, Neal, thank you so much for being on the show. We really appreciate it. I know I've learned a lot and I'm excited for our listeners to listen as well.

00:45:10:05 - 00:45:17:09