Industry veteran and SANS Institute fellow Frank Kim has joined YL Ventures as its new full-time CISO-in-residence. YL Ventures connects startup entrepreneurs with CISOs to provide advice and guidance as they develop their cybersecurity solutions and grow their businesses. Kim — who founded ThinkSec, a security consulting and CISO advisory firm, and is the former CISO of the SANS Institute — brings in-depth perspective from key facets of cybersecurity to his new role, in which he will focus on the business impact of cybersecurity solutions.
Kim took part in the following Q&A with Dark Reading. (Content has been edited for length and clarity.)
Dark Reading: What is the CISO's role in a startup? How can CISO advisors help fast-track tech startups?
Kim: Over my 20-plus years in cybersecurity, I’ve advised my share of security startups and mentored many more during my time at the SANS Institute. Today, as the CISO-in-residence at cybersecurity VC YL Ventures, I begin working with a firm’s entrepreneurs even before we invest in them and continue to do so across their entire company-building journey. Being a CISO-in-residence offers experienced CISOs, who have been deep in operational security for years, the chance to impact and drive the growth of the next generation of top-tier cybersecurity vendors.
I work closely and directly with cybersecurity startup founders on their ideation, product market fit, and value realization on an in-house and regular basis. I provide them with what can be considered an invaluable vantage point into the needs of modern CISOs, security teams, and businesses, and I specifically guide them on making sure security solutions provide business value at business speed, resolving the gap between business and tech latency. We need better, more modern approaches for securing today’s digitally led businesses so that security transforms from a potential hindrance to a proper enabler.
This career path is a natural progression from my role at SANS, where I grew the cloud security and CISO cybersecurity leadership curricula to help shape and develop future security leaders. Every YL Ventures founder who I've spoken with is inherently building for the cloud-first world of today and tomorrow where leadership, coupled with innovative ways of securing the modern ecosystem, matters more than ever. My goal is to help founders and entrepreneurs bring these new capabilities to light.
Dark Reading: What are the top emerging CISO cyber concerns? Is ransomware still public enemy No. 1?
Kim: Regarding ransomware, it’s still a concern. YL Ventures recently published a unique report on ransomware risk in which half of the CISOs surveyed stated that their organization had been the target of a ransomware attack — but at the same time, many did not believe they need a dedicated ransomware solution, but a multilayered security approach.
Data security is another growing concern, specifically the ability of businesses to use, share and leverage data securely. If we look at future revenue streams for startups, the key is driving and enabling the adoption and use of data. It has become such a pivotal part of business and such a lucrative target for attackers that it’s justified in becoming a top priority for CISOs. In the modern, dynamic business environment with M&As and consolidation, data keeps moving and changing, and we have to keep up.
Security operations teams struggle with alert fatigue and challenges with leveraging automation to remediate security issues in the cloud, and this is concerning as the volume of attacks only continues to grow. Now that tools like cloud security posture management (CSPM) have increased visibility and security teams have the information they need, they don’t always know how to use it, increasing the risk and the time from detection to remediation. Visibility is no longer enough.
Resiliency and recovery are top-of-mind for businesses now due to high-profile attacks. Organizations want to cut down on time and resources needed to bounce back after cyberattacks and minimize potential damage.
Finally, GRC and risk measurement: Security is becoming a board-level discussion and an acute business risk for organizations. CISOs must have the right tools to be able to govern their programs, measure cyber-risks, and mature their program/stack over time. They are looking for solutions that will enhance their ability to assess risks and run security programs more efficiently — in a data-driven way — measure efficacy, and translate it to top executives and board members.
Dark Reading: Are CISOs pretty much a position only for larger organizations, or would smaller organizations benefit from having the CISO role?
Kim: Security should be a business priority from the earliest stages of company-building, regardless of size or sector. It’s about more than just hardware and software; getting security on board early speaks to the type of culture you’re creating in your organization, and it should be in a company’s DNA from day one. CISOs and security teams need to be part of the core business and grow along with other critical positions on the team, such as HR, operations, development, and others. Many organizations — especially the bigger ones — actually fumble the basics, and including security when you’re building your foundations will ensure that the most fundamental security hygiene priorities are taken care of. These will be valuable as the organization scales, and the security team scales with it.
Dark Reading: How do you advise organizations on addressing security workforce talent shortages?
Kim: In my time as a Fellow at the SANS Institute, I made it my mission to grow and support the next generation of security professionals. Unfortunately, it has been well-documented that there aren’t enough of us. ISC² places the global shortage of cybersecurity jobs at nearly 3 million, and there simply aren’t enough young professionals to support growing security needs.
CISO burnout is a real thing. Security teams have about 14 balls in the air at all times, as they try to do incident-response, provide clarity to business leaders, address new vulnerabilities, and more. Organizations must address this as a hazard and prioritize automation tools and other streamlining processes to reduce the load and turn CISOs from firefighters to strategic actors. The characteristics of a CISO’s job are also to blame. Being a CISO can be a lonely, solitary job that is detached from the rest of the organization.
Fostering a collaborative and engaged working environment is key to ensuring that the security talent you have will want to remain in your organization.
Dark Reading: How is the integration with the rest of the C-suite working out? Are we seeing an improvement in overall security posture for the organization?
Kim: CISOs are constantly between a rock and a hard place. Our responsibilities are growing in importance, but we bring doom and gloom into the boardroom, and that isn’t always appreciated.
That being said, we are witnessing a dramatic shift in perception of both security itself and its practitioners. CISOs are no longer security officers; they have strategic value for business and their insights are sought after in almost every decision-making process. This is to be celebrated, as it will definitely improve visibility into the organization’s security posture, and it will strengthen accountability and ensure that the right processes and people are in place in a proactive, rather than reactive, approach.