Yael: We don't get a lot of support in our professional career and any validation. When you get to be a department head, you don't get somebody else who's genuinely looking at what you're doing and seeing the positive. Most of our assessments are to go find gaps, or to go find, you know, growth areas in any domain, and in security, there's plenty of those.
But the starting point is to recognize that we have connected security to the org. And when we get to do that together with security teams, it does feel calm. It feels like we know what the program is, we know where we are, we're exactly where we're supposed to be, and we also have a map and know where we're going. And that feels very natural for us to do.
Caroline: From Cobalt at Home, this is Humans of InfoSec, a show about real people, their work, and its impact on the information security industry. Yael Nagler is the founder of Yass Partners, a services company which provides advisory and learning labs to CISOs, CIOs, and Chief Risk Officers, with the purpose of amplifying security leaders' impact.
Founded in 2019, Yass Partners are a group of professionals that Yael describes as the Swiss Army Knife for corporate cyber management. They are known for uniquely using frameworks and templates to accelerate execution and align messaging. Yael is a board advisor experienced in managing technology and enterprise risk. She's held leadership roles during periods of crisis and growth at BlackRock and JP Morgan, and credits her experience as a chief of staff and COO for her skill in reading the room and understanding the culture of an organization.
Yael has a fascinating background, and you might actually recognize her as a guest from an older episode back in 2022 when she flipped the script and interviewed me. This time, I am so excited to have her back to share more about her background and upcoming projects. Yael, welcome to the show.
Yael: It is great to be talking to you again, Caroline. Thanks for having me.
Caroline: Well, Yael, you got to interview me last year, so we're switching back over. You are going to be in the spotlight today. Tell me about your professional journey. How did you get started, and what led you to the cybersecurity world?
Yael: Well, you know, I feel like this question could be like one of those dinner conversations that just seems to last forever and doesn't end. So, I'll try and accelerate each of the inflection points in my career. I studied hotel management at Cornell, and that is not the place that most people get into security from. My first professional experience was at Priceline in their pre-IPO times to help them design and launch their hotel product, which made sense.
From there, I went to consulting where I was at Andersen in their business consulting practice at a very interesting time, because Enron had been happening. None of the consulting projects that I was on were related to Enron, or did I start on any project. I arrived to projects mid-flight to help redirect them, which I don't think I knew at the time. After a number of years at Andersen, I then ended up in enterprise software at Ariba, where this was a remarkable experience.
I got to see inside of large enterprise, financial services, and healthcare companies in particular, in three core operating functions for all of the largest companies, because we were helping them to understand and to put together processes around enterprise, expense management, a fascinating time.
I left Ariba to join Bear Stearns, one of our clients at the time where I had responsibility for $1.2 billion of their non-IT spend. And I arrived just before the financial collapse, which once again unexpected, provided a phenomenal lens into managing corporate crisis, trying to find ways to save money overnight. I actually had something to contribute to that conversation, and I learned a lot along the way. I stayed there as part of the JP Morgan team, where we then acquired and integrated three more organizations. Washington Mutual was one of them. Huge projects and a great learning opportunity. I got to see patterns that I think most people don't generally get introduced to.
I eventually moved from JP Morgan to BlackRock where I spent 10 years, just before they announced one of their large integrations of Barclays Global Investors. I had a variety of roles in the company starting with expense management, naturally moving into financial planning and analysis, and eventually landing in information security.
The company had recently stood up their information security team and invested in hiring a Chief Information Security Officer and bringing in domain experts. I wanted to get it right. And the way that they were going to guarantee and protect their investment was to ensure that somebody who understood the company and had to navigate the organization was tied to the program. And it was a remarkable thesis from BlackRock and a learning opportunity for me. It's from there that I left and had the opportunity to build Yass Partners, based on all of those experiences.
Caroline: Wow, wow. I mean, one of the things that I love about each and every one of the guests that I have on the Humans of InfoSec podcast is that everyone has such a different path. And yours is very extremely exciting. I would call your career path not exactly conventional. And I wonder, you know, sometimes these things, it's like when they're happening, they're just happening. But then sometimes when you look backwards, it sort of all makes sense. And I wonder what reflections you have on your version of a very unconventional career path into cybersecurity.
Yael: So, I think that's totally right. A lot of learning comes from reflection and it's a thing we don't give ourselves enough time to do. So, for me, I think that what has naturally brought me into cybersecurity and where I've learned to excel is that having danced in so many different enterprise organizations during periods of extreme crisis or significant growth, I've been able to identify patterns of corporate operations, and in particular, of enterprise risk management and technology risk. And I think it's that experience space that has built a rich library of learning that feels like a really natural fit for me, actually, in information security now.
Caroline: Incredible. You know, you have developed so much core expertise around the topic of tech risk. What is it about tech risk that catches your attention, and what motivates you to continue to pursue this topic?
Yael: So, I think tech risk is just like the most basic example of "Do you understand what matters to this company?" And then, for cyber leaders, "Can you tell me about your domain in the context of what matters to this company?" And then finally, "Can you share it with me objectively, so that I can make good decisions for this company?"
To me, tech risk demonstrates a certain maturity in business leadership and in cybersecurity that really distinguishes the programs. For me, I find it exciting every time. And if we think about information security in the context of managing tech risk, we don't feel as burdened by all of the components of what could go wrong and what our responsibilities are because we're able to translate it back to the organization related to what the company does. I get really excited actually when I think about how to slice and skin and present tech risk because I think in so many ways, it's what can organize and declutter the role and the challenges of CISOs.
Caroline: I do think that sometimes, the work that a CISO and their team has to do can seem so incredibly complex. And I think that there's an opportunity to kind of perform some pattern matching. You founded a company. Tell me more about Yass Partners. How did the idea for the organization take shape, and what is it like to be growing it?
Yael: So, Yass Partners, our core belief is that the apprenticeship model is, like, the best way to learn. And I don't know why there isn't a word for what you call the person who teaches the apprentice, but it's like being in the trenches with you. And so, with that as, like, our approach, we realize that, you know, the culmination of our experiences is the ability to understand corporate organizations and what kind of security programs they need at this time given where they are, and then being able to identify the behaviors and patterns in the security leader, and what skills and competencies they will need to develop and to further peacock and demonstrate for that organization.
So, Yass Partners really kind of lives doing two kinds of assessments at the same time. One is around what the specific program necessary for the company is, and then what the skills and behaviors are for the security leader in seat. And we deliver it with the apprenticeship. If we can make more security leaders more competent and confident, then overall, enterprise is better protected, and we're just arming our future selves successfully. That's been our motivator for us as a team to deliver. And I think that, you know, we've had increasing impact, so I'm really proud of what we've achieved.
You asked me what it's like to continue to grow Yass, which is a phenomenal reflection question. And what I would say is that we just continue to see themes and patterns emerge. So, for us, it just makes it easier and faster to deliver our work. We do it with frameworks and we do it with templates. So, if we can quickly pinpoint the pattern, then we easily are able to pull forward the correct template or the right framework to explain it from. And to the extent that we can bring bandwidth experience, openness, empathy, camaraderie to security leaders and to their teams, it feels really rewarding and I think everyone achieves success more quickly.
The one thing I sometimes worry about is, will the challenges continue to be exciting. And so far, I haven't been disappointed because either the people approach it differently, or their environment demands something new. And in all cases, that's what keeps it, you know, fun to grow, but a continuous challenge.
Caroline: I can just hear the passion in your voice when you talk about it. And I wonder if there's an area of the work that you do that you would call your favorite, or that you maybe find to be particularly inspiring and something that gives you energy.
Yael: I really have found that in all of the different corporate roles that I've danced in from finance to vendor management, to contracting, to legal, to consulting, to sales, I've been in all of these roles actually, I've been in those roles, the people who want to be and who find themselves burdened by being security leaders are remarkable.
I love being in a room and having a conversation with them because they're protectors. The part that I enjoy the most about this is talking to those people for two reasons. One is to unlock within them the answers that they already have and to show them that, "Oh, we can just say it this way, or present it that way, or tackle it in this sequence." And it's fun to see them say, "Oh, it was my idea. We've just brought it to life."
And the second part that I really enjoy is learning from them. I mean, I get to learn from domain experts. I work with one CISO who's an expert at securing different components of, you know, an asset, using tools like blockchain and identity and saying, "Who has access to this piece, and this component of the product, and how can we ensure the security of it?" And listening to them just craft that story, I'm constantly learning. And so, for me, that, I think also hones, you know, our library, but it gets me excited every time.
Caroline: Yael, when I hear you describe the work that you're focused on today, I kind of think of you as, like, a CISO whisperer. And I think that the role and the experience of a CISO, whether it's an up-and-coming CISO or a mature and experienced CISO, there can just be so much chaos. And I've actually heard you and your company described as the calm in the chaos. You are bringing calm to the chaos. I wonder if you would tell me a little bit more about that idea.
Yael: It's so flattering to hear that, and we do genuinely feel that when we get to peek behind the curtain, I think what distinguishes our approach is that we don't come with an approach. We come to learn the security leader and the organization, and then we spend time really seeing the security team and their potential.
By being able to start with the shared vision aligned around your mission, it just feels like we're already on the same team and we're championing positively. And I think that enables us to invite security teams to tackle the same problem perhaps a little bit differently. And when they do that, they generally have found great success, and that breeds confidence. And when a security leader is confident, their program, it becomes inspiring for staff members, for their team members. For us, we feel really fortunate to help them see all their good in what they're doing, and remind them of their trajectory.
We don't get a lot of supports in our professional career and any validation. When you get to be a department head, you don't get somebody else who's genuinely looking at what you're doing and seeing the positive. Most of our assessments are to go find gaps or to go find, you know, growth areas. In any domain, and in security, there's plenty of those. But the starting point is to recognize that we have connected security to the org. And when we get to do that together with security teams, it does feel calm. It feels like we know what the program is, we know where we are, we're exactly where we're supposed to be, and we also have a map and know where we're going. And that feels very natural for us to do.
Caroline: Yael, I wonder if you could share with me an example of sort of one story, one case study of one of your partners and how that goes, how that went.
Yael: Yeah. So, there's one project, which actually follows a very common meter and theme. The company might be starting to recognize that they need to radically improve or speed up their technology security performance. And that was the case in this one that I'm thinking of, have the CIO recognize the need to have a very... more accelerated view of technology, shaped by risk management, both from a regulatory perspective client mandate, as well as good steward of the future.
So, what does our project look like at that point? We come in and we always start inside. We always start with a really, really small purview. We start with insecurity to understand what the security program is and is doing and has done and struggles to get done. That creates the roadmap. Then we always look at governance. How do decisions get made? And we seek to understand if there are ways to improve decisions, pace, or quality. Often that's with, you know, governance and transparency.
And then from there, we either are able to position the program forward or create the construct, the framework for other important decisions to be made. In this one case, we were brought in to look at the security program. And it was because of looking at the security program, establishing some cadence and meter of success that, you know, we increasingly were invited in to look at other broader technology questions, like how do we consolidate our cloud platform, and, you know, what should our pace be for product development, you know, across each of our different apps?
Those are not common security projects or challenges, but being able to be organized from a framework perspective, we realize that all of those tie together to security. And if we can help move those in the same direction, or at least share some foundational principles, it actually improves security and can improve these other functions. We knew, but how do these projects end, right, because that's really important. We really believe in being a short-time support. We're not the fix, you're the fix. We are the support for whatever it is that you're working on.
We architected a direction, we established governance, and we created some practice coordination, such that we didn't need to continue to drive or even influence the future change that was happening. So, for us, that was a really rewarding project, but a very standard construct. Start small and then, you know, shape direction.
Caroline: You absolutely answered the question. And I think it's like just about asking questions that... It's almost like I just like reach out and I touch your head, and then like all these sparks come out, and I just like to see what happens when I do that. When you reflect on all the different experiences that you had, I wonder if there's one that you could tell me about that was really unexpected, that you learned a lot from.
Yael: I've been really fortunate to have either grown up in a ballsy Israeli family or been at the right place at the right time before anyone knew any better. But I have been so fortunate to be able to say, "Well, why don't we just," nd have that generally be listened to, and not be scolded for. So, I think the experience that I've had has been a persistent confidence to say, "Why don't we just, and what would happen if?" And increasingly, I have found that people are generally willing to hear that even when it seems inappropriate.
So, there are so many examples of when I've asked that question that have always turned out different than I thought they would, and I've always learned from it. Sometimes, "Why don't we just," is met with "Because we can't." And then you learn all of the facts, and that's helpful. Sometimes, "Why don't we just," or "What would happen if," like, invites pause, or enables somebody else in the room to yes/and on that topic, and that feels great. So, I don't know that I actually have a one answer. It would be that I've been continuously asking, "Why don't we just, and what would happen if."
Caroline: I think you demonstrate an approach to innovation, and I think you demonstrate an approach to innovation as a group. I think that when you ask that question, when you have the confidence to ask that question, it actually draws everyone forward with you. And even if the answer to that first question is "No, because," that just means there's an opportunity to turn right or to turn left, and that maybe you're not going forward at that step. But I really think that that is an incredibly good approach to innovative thinking.
Yael: Yeah, I feel like it's also been one that's been tamped down a lot these days. I feel like especially in security, people are reluctant to suggest something because it will result in more work. And I wish that I could unstick that because the thing that I've been really drawn to in information security and in cybersecurity, whether you're a threat researcher, an analyst, a [inaudible 00:22:00.618] manager, you know, and the rest, is that we've always approached it differently from how it was done before us. And if we stop asking like the, "What would happen if and why don't we just," like, we're waiting for somebody else to make those decisions. I don't know. And I worry about how that will manifest.
Caroline: Yeah. Yael, I want to thank you so much for taking the time with me today. I love hearing about your story and about your work, and I'm just so delighted that you chose to join me today for this episode.
Yael: This was so nice to talk to you and to reflect back. I very rarely get to do that. So, thank you for giving me the space for that.
Caroline: Our pleasure. Humans of InfoSec is brought to you by Cobalt, a Pentest as a Service company. You can find us on Twitter, @humansofinfosec.