Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

This is a black book cover with a cloud in the middle and a lock over it. The title is above this image.

Book written by Sounil Yu

Book review by Rick Howard 

Bottom Line

I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.


From a survey of some 1200 security decision makers in 2021, Panaseer estimated that the average number of security tools deployed in big enterprises is approximately 76. That's a big number to manage. Compare it to the the early internet days (1990s), when we all just had three tools (firewalls, anti-virus, and Intrusion detection), and the inherent complexity of that constant growth is startling. In today's security vendor climate, most tools are platforms that can perform all sorts of functions and I'd wager a hundred dollars of my own money that many of those 76 tools have overlapping features. The impact is that security practitioners may pay x dollars for tool A and y dollars for tool B when one tool might suffice. If there was some way we could analyze our deployed tool set to eliminate this inefficiency in terms of cost and functionality, we could reduce the cost of ownership for our infosec programs in terms of budget and technical debt. This is where Sounil Yu's book, "Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape" comes into play.

Full disclosure, Sounil is an old friend of mine and I've had the pleasure of discussing this topic with him over the years as he has developed it. I met him when he was the Chief Security Scientist at Bank of America (As of this writing, he is the CISO at JupiterOne). Bank of America is the kind of organization that would have at least 76 security tools deployed if not many more and one of Sounil's jobs was to recommend new cybersecurity technologies. But he found the task of deciphering what tool A and tool B did by reading vendor product marketing documentation to be almost impossible. Vendors claim that their products do everything better than their competitors to include whatever the latest favored buzz word is like zero trust, artificial intelligence, etc. Sounil said, "I was staring at this mess of buzzwords that don't really make any sense and trying to decipher what we actually needed." He needed a way to evaluate each deployed and potential product.

Sounil's CyberDefense Matrix is a scaffolding to assess security tools in conjunction with the NIST Cybersecurity Framework. It's a methodology to categorize each deployed tool into one of Five buckets: Identify, Protect, Detect, Respond, and Recover. You can use the matrix to visualize where you have tool overlap and where you have tactical deployment gaps while pursuing your overall infosec strategy. When you have tool overlap, you can reduce the cost of your infosec program and not raise the probability of material impact to your organization due to a cyber attack. When you identify deployment gaps, you can assess how much you might buy down risk if you fill that gap.

Sounil rotates around the NIST Cybersecurity Framework as the strategy. I could argue that the Framework is not really a strategy at all. It's more of a maturity model or checklist, but hey, if that's what you have built your infosec program on, you can use the CyberDefense Matrix to eliminate waste and perhaps get more coverage. If you don't like the NIST Cybersecurity Framework, pick your own. If you're more of a first principle aficionado and are pursuing zero trust, intrusion kill chain prevention, and/or resilience as your strategy, Sounil's Matrix can help you regardless of your choice.

Admittedly, I don't see Sounil's matrix being of much use to startups, small, and even some medium sized organizations. Those teams don't have the same collection of tools that a Bank of America might have. That's why I'm not recommending this book for the Cybersecurity Canon Hall of Fame. It doesn't apply to every cybersecurity practitioner. Still, as your organization grows and the number of your security tools creeps up to a value that it too hard keep track of in your head, Sounil's CyberDefense Matrix can make your job easier.