Preview Mode Links will not work in preview mode

Defense in Depth

Oct 17, 2019

All links and images for this episode can be found on CISO Series (

A simple way to visualize your entire security program and all the tools that support it.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest for this episode is Sounil Yu (@sounilyu), creator of the Cyber Defense Matrix and former chief security scientist at Bank of America.

Thanks to this week’s podcast sponsor, Verodin.


The Verodin Security Instrumentation Platform proactively identifies gaps in security effectiveness attributable to equipment misconfiguration, changes in the IT environment, evolving attacker tactics, and more. Learn how Verodin, part of FireEye, has made it possible for organizations to validate the effectiveness of cyber security controls, thereby protecting their reputation and economic value.

On this episode of Defense in Depth, you’ll learn:

First, just look at the darn thing and it'll start to make sense.

  • The Cyber Defense Matrix's original purpose was to provide a visual way to see where your gaps are in your technology.
  • Users have found lots more uses for the matrix, such as seeing those same gaps in people, processes, and trying to map out the vendor landscape.
  • By visualizing, you can see also where you have too much and you can actually get rid of technologies.
  • The matrix provides structural awareness of your vulnerabilities.
  • The matrix admittedly gets a little wonky when cloud technologies are introduced. They often bleed across categories, not neatly fitting into any specific buckets.