Episode No. 3
Pushing the Envelope with Dr. Yonesy Núñez
Yonesy leads Information Security and Technology Risk Management at DTCC and previously served as CISO at Jack Henry & Associates. With extensive first-hand security experience, he knows the importance of a well-adapted line of succession to pave the path for new generations of leaders. Who are these future leaders? Everyone, including minority groups – like people of color and women- who are underrepresented in cybersecurity.
“The attackers are not skipping a beat … We are at an inflection point that will require defenders to hone in and push the envelope for more collaboration and faster adoption of technologies, ensuring that we continue to support and defend our critical infrastructure.”Dr. Yonesy Núñez
About Yonesy Núñez
Dr. Yonesy Núñez serves as Managing Director and Chief Information Security Officer at The Depository Trust & Clearing Corporation (DTCC). Yonesy leads Information Security and Technology Risk Management as the firm advances its technological modernization efforts while ensuring a comprehensive approach to risk management and cybersecurity across the organization.
Prior to DTCC, he served as CISO at Jack Henry & Associates. He has held several senior executive positions in cyber and information security at Wells Fargo, Citi, and PwC. He is President Emeritus and co-founder of the InfraGard Chapter of Long Island, New York. He serves on the Board of Trustees for the Darrow School and STEM Advisory Board for Mercy College. Additionally, Yonesy is a member of the Latino Corporate Directors Association, the Black Board Initiative, and holds numerous industry certifications. Yonesy received a Doctorate in Computing from Pace University, a Master of Science in Information Systems Engineering from The New York University Tandon School of Engineering, and a Bachelor of Science in Finance and Computer Information Systems from Manhattan College. Yonesy has also been recognized on the Hispanic IT Executives Council’s Top 100 Most Influential Hispanic Leaders in Technology list.
Alberto Yépez [AY]
Hello and welcome to the Forgecast. My name is Alberto Yepez, Co-Founder and Managing Director of Forgepoint. I have the pleasure to be speaking today with Dr. Yonesy Nunez, who is a senior executive in cybersecurity. He has worked with many multinationals and brings a lot of experience. We’re really glad to have him. He is a member of our community, and has had a progressive career after such humble beginnings. He has become a trailblazer in our industry and is so unique. Yonesy, welcome and thank you for taking the time.
1:25 Going from the Dominican Republic to the United States
Dr. Yonesy Núñez [YN]
Thank you, Alberto, for having me- and thank you to the Forgecast. It’s a pleasure to be here with you today, and I look forward to our discussion-as always, thinking ahead and focusing on what can we do for others.
Amen. So why don’t we get started: there are so many defining moments in our careers- but people perhaps don’t know where you came from. I know you’re from the Dominican Republic. I’m from Peru. We’re Latinos. We’re perhaps a very small sliver of our industry. Could you share how you got to the U.S. and how you started your career? Please give us a snippet of how that progression came.
Thank you for that, Alberto. As you know from our personal discussions at the activities we perform at conferences or other, I was born and raised in the Dominican Republic in a small town called Ansonia-which is near Azua and southwest of the capital. Ansonia is a very small, coastal town. I came to the States when I was in sixth grade. My parents were the trailblazers for us. There are four of us: two boys, two girls. That story is one where I feel that it really resonates in how we were brought up and the values around always looking to get better. We have this saying “Al mal tiempo buena cara,” which means that in inclement or bad weather, to always put up a good face. There’s always that progressive, can do better- how do we enhance not only ourselves but those around us. I learned at an early age that there’s always something to strive for, something to excel at and that you can bring others along that journey, whether they’re your family members or others. I would say that coming in or out in the sixth grade- one of the things that I learned and was keen for me was meeting Colin Powell.
At the time, Colin Powell was doing a lot of work in our space as one of our first three and four star generals. He actually attended I S 52 Junior High School which happens to be the middle school that I went to. So in the seventh grade, he came to our school to talk to us.
One of my classmates drew a picture of Colin Powell – who came to our class after he met with the entire school. He was shaking our hands, telling his story of how he grew up in the same neighborhood and had free summer lunches at this school where we attended. That resonated with me because we had to go get free lunches in the summer. He said to us, “You can be whatever you want and you can be the next Colin Powell.” Not that I wanted to be the next Colin Powell, but that really resonated with me- that it doesn’t matter where you come from and what you have, there’s no limit to what we can achieve when we have that passion and we don’t forget where we come from.
That’s something that stuck with me. When I met him in subsequent years, he didn’t remember me but I remember that moment. I would say that was one of those seminal moments for me early on in my life. It kind of set me on the paty of how do I get better, how do I help others around me to understand that hardships or mal tiempos – right, the inclement weather – they’re just passing moments. You have to have that spirit of transforming, getting better, and overcoming.
Those were some of the early lessons in my life, Alberto, that brought me here where I am today.
5:17 The Tinkerer in Cybersecurity
That’s great. How did your career in cybersecurity get started? You had a sense of purpose- in wanting to become better and so on, and could have chosen to go anywhere in any field. How did cyber start factoring into your career?
I have always been a tinkerer. I like to say that growing up with limited means that the Dominican Republic makes you a MacGyver. That was one of my favorite shows coming up. I always enjoyed taking things apart, figuring out I think things work, putting them back together. Can I make things better? Can I make it faster? Sometimes I would mess things up.
I’ve always been tinkering with technology, with computing and mechanical things. And I actually started college as an accounting major, believe it or not. When I took my first accounting class, sophomore year, first semester, I didn’t like it. I mean, I enjoyed debits and credits, but I didn’t think that I could do that my entire career as it was painted to me and met with my advisor. And she told me at the time, What do you really enjoy? What do you do on your spare time? And I said, Well, in my spare time I do some work study here at the school and I’m actually responsible for all these computers and networks that you used to print, save and store your files.
So that’s what I like to do. I really enjoy it. She said, “Well, why don’t you go do something in that space?” And that’s exactly what I want to do. And for four years while I was at school, I continued to work within the school, and received a couple of internships. I actually had a full time job before I graduated managing the network architecture at New York Media Group. That’s how I got into technology.
Security was a more interesting story as I went down and took a couple of courses SANS courses at the time, came back to the office and said, “Hey, you know, I found all these vulnerabilities and things that shouldn’t be and now I have access to things I shouldn’t have access to. So we need to get somebody to fix this stuff.”
My boss at the time turned around and said, “You found it? You fix it.” And that’s how I got into cybersecurity. That was the start of my journey, and I haven’t looked back since. I’ve been excited and enamored. It intrigues me other ways that folks can circumvent controls you put in place and then how to make that better is a constant arms race.
I can tell you that each and every day I have the same excitement when I get up, when I go to bed, I have the same excitement about the work that I do and for the companies that I work for and not just for the companies I work for, but the industry as a whole. We’ve been evolving in place. We’ve seen the changes that can happen and how quickly they can happen. My focus really has been over the last few years to leverage cybersecurity to help be that transformer, that digital capabilities, advancement. I feel that cybersecurity is at the fulcrum of allowing for those things to happen faster so that we can get more penetration with the newer technologies and workloads.
9:22 Starting out and Defining the Industry
I love the fact that you’re one of those CISOs that sees cybersecurity as an enabler, not necessarily as a detractor. You’re not about raising all these barriers because you view cyber as a way to enable new capabilities. The passion you exhibit when you talk about it is how we need to think about it. In your career you were at PwC and where you gained more formal training at the SANS Institute. You also worked in financial services, right?
Oh absolutely. Once I got turned on to cybersecurity, it wasn’t very popular back then. How I started getting more in tune was through my first big CIO gig at this company called Pall Corporation, I believe they were just recently acquired by Danaher a few years ago. That was the first opportunity that I received to lead a global and build out a global security program for this global manufacturing firm. That’s where the world opened up for me as to what was in the realm of possibility, dealing with regulators around the globe, dealing with different privacy and security requirements, and then trying to balance that with the real-life attacks that we were seeing. I’ve always been a very big fan of building communities, so I helped build out the first InfraGard chapter on Long Island-so partnering with DHS, FBI – shout out to Marianne, my special agent that I worked with very closely with in Long Island to get us hooked into all the critical infrastructure. What I learned was that we needed more collaboration and that building an environment where people can come in a share information was amazing for me.
Part of that sharing of information, I got the opportunity to come into New York City. So from Long Island to I would take the LIRR, for those who know, you guys know how much fun that is. So taking the LIRR into Manhattan, I went to this conference. There were a bunch of folks, of course, in financial services, and I happened to be on a panel and is interestingly enough on that panel, there was Jim Ralph who at the time, which is kind of full circle story, was the CISO of the DTCC.
He said to me, “Hey, what are you doing? Where are you work? Have you considered a career shifting your vertical into financial services?”
I explained, “No, I’m running security at a global firm. I’m pretty very comfortable and have a lot of work to do but why should I change my career to financial services?”
He says, “That’s where all the bad guys are coming. We’re getting attacked all the time. We could definitely use someone like you.” In having that conversation with Jim, I identified what’s the best way of breaking into a new vertical.”
I went to PwC and had a great opportunity to build out a cybersecurity and insurance practice there and he was not wrong because I had probably the top 25 whether hedge funds, big banks or multi regionals were my customers so in providing those services, I got really in tune with attacker activity, threat landscape and what were the key priorities for financial services. That led to a Global Information Security Officer role at Citigroup and then that led to Wells Fargo, Jack Henry and then where I am now, at the Depository Trust and Clearing Corporation.
13:16 Prioritizing Customer Needs
It’s interesting because I remember when we met you were at BISO – a Business Information Security Officer – a lot of people may not understand but people in the industry will understand that you were a business unit CISO, at Wells Fargo. You needed to be partnering with the business, understanding the requirements so that you can drive key enabling capabilities and then eventually you got back to driving the whole program.
It was a great journey because in that space I really got closer to the business and why cyber is important and what does it mean- to the point that now I think my number one selling aspect for my organizations is my ability to really hone in on business needs and then lever my background and expertise in cybersecurity and technology to make sure I can figure out and prioritize. Again, you can do it all, but prioritization becomes key. When you understand the business, you know why you’re doing the things that you’re doing. It makes it easier for us to prioritize our activities because at the end of the day, we also want to make sure we’re delivering positive business outcomes. That was an area that I really honed in my roles at Citi and at Wells Fargo, really focusing on what the businesses were.
I think it is a defining moment because a lot of CISOs come in and say, “Hey, you know, I know why that needs to be done. Let me just put the program together.” and sometimes they forget the customer, right? You’re in a business, you’re in business outcomes in getting closer to understanding those requirements and trying to drive the program and the priorities, like you said. Maybe it could be said that your BISO experience prepared to become a much better CISO.
100%. When you define your customer needs and requirements and your business needs and requirements, I think that adding cyber to that mix- that is the topic everyone wants to talk about. It can be the differentiator whether the customer stays with you or a new customer comes on board, right? It is that crucial and that’s what I’ve learned over the past few years.
Obviously Jack Henry, service provider, you were providing services to a lot of other institutions. It kind of shifted a little bit, your view of not only just your audience, not just the internal base, but also trying to enable capabilities for a business that actually had to interact with a lot of organizations and businesses globally, right?
Yes, its main focus is within the U.S. regional and credit union types of financial services organization. Absolutely.
And then now DTCC- I don’t know if a lot of people know what DTCC does. Could you briefly describe in how much money goes through the systems in DTCC?
So at its core, some of the things that we do are really crucial and critical being a significantly, significantly important financial market utility. We’re at the crux of a lot of post trades where information flows through and within those activities. We are the smallest and largest organization you’ve probably never heard of. If you’re not in the space, you probably don’t know who we are. But at a high level, being at the crux of all those financial transactions, it is the only organization I work with that we can use the number quadrillion. I don’t think I have ever used that in my daily vernacular. I’ve been here for about five, six weeks and I can tell you that maybe I don’t use that word every day, but it comes up in conversation and it’s a really critical role as a significantly important financial market utility to make sure that we are resilient, that we’re robust, and then our protections are in place to ensure the stability of the markets, and we intend to advance the markets together. So crucial role, and I’m super excited to be here at the same time, also understand the level of responsibility that each of my team members have across the organization and to ensure that we remain safe and secure.
I would imagine the bar is high now because you have to safeguard all that information that goes through and the amounts of money they get through the utility. I love the way you describe it. It is very, very interesting.
18:00 The Biggest Challenges Within the Industry
Let’s shift towards the biggest challenges in our industry today. More broadly speaking, our industry changes constantly. There’s the threat landscape, new emerging technologies, and many different factors that have influence. What do you see as the biggest challenges facing our industry?
Well, I would say that I’ll start with the the the headwinds that we have in place. The number one headwind for me has to do with talent. Last time I checked, and I want to say this, about a month ago there were about 696,000 cybersecurity openings in the U.S. alone. If I look globally, that number is closer to about a million plus postings for cybersecurity professionals that are open today. That tells me that we have a huge role to fill and not having the individuals that are perhaps interested and qualified right or not interested and unqualified. That tells me we have some type of problem there where the funnel is not large enough to accommodate transition in careers or bringing the the folks into the environment. So that’s one: the talent issue.
The second one has to do with leadership in this space because it’s not just around the technology. The technology is there. We need to have strong, robust technology leadership, but there’s a whole aspect associated with it. I would tell you, if I if I get in a room and I talk to my CISO peers, they’ll tell you that at every new organization that they become a newer CISO to- they’re revamping or renewing the program. I think we have a gap in that space, I feel that we should have better succession and leadership planning now to ensure that that doesn’t occur. One of the things that I’m super keen on is for the organizations I work for is to make sure that I’m building a robust succession plan.
People are important and you want to make sure that as your career advances, you are leaving behind the right transitions and team to continue with the mission when your leadership team, or if half of them win the lottery or your leaders no longer there. I think that’s the three-prong headwind that we see.
Now on the positive side. Some of the tailwinds that I feel exist today involve technology. The way we do things is changing right in front of us. The work that we’re doing today is going to be different. Tomorrow is going to be different two, three years from now. Things are happening right now.
A lot of great changes that we can leverage, whether there is that newer technology, newer ways of doing things. We’ve got a couple of generations coming up now. Better thinking, differently than us. I didn’t grow up with an iPhone in my hand. I didn’t grow up with super-fast Internet at home. I feel that that’s really going to change the ideas and innovation coming up. I’m super excited about what these new generations are going to be able to influence and the way we do things to change for the better. The advancements in computing, the advancements in the leveraging of large language models or other computational artificial intelligence like technologies-I feel we are in the nascent stages. I’m a big proponent of leveraging those as needed to become more efficient, more robust and faster delivery to the things that we need to deliver for those positive outcomes. There’s a lot of interest I can hear now- the clamoring from students as young as eighth grade talking about cybersecurity, which that was not the case a few years back.
22:29 Making Cybersecurity a Household Word
There’s a lot of interest in the work that we do. As folks like yourself, Alberto and others continue to make that outreach, how do we create and build cybersecurity as a common word, a household word? Everyone knows what that is and can aspire to be in this profession. For me, putting all of that together, the attackers are not skipping a beat, right? They know how to leverage the technology. They are also operating with new they know how to leverage the technology. They are also operating with new innovative ideas. They have the means, they have the methodologies, and they have the collaboration to do so. I feel that we are definitely at an inflection point and it’s going to require a lot of what I call the defenders to really hone in, get together and continue to push the envelope for more collaboration, faster adoption of technologies, and ensuring that we continue to support and defend our critical infrastructure.
Very well said. Innovation has a place and we love the fact that you are a member of our Advisory Council and help us whenever we find an idea, validate it, and try to refine it. And once we decide to make a bet, you work with the teams to make sure those products address real problems and eventually they become successful in their own right.
23:53 Thoughts on the Current Regulatory Environment
Going back to, you know, the tailwinds and the headwinds, how do you see the current regulatory environment? You lived pretty much all your life in a highly regulated industry, you know, starting in financial services. You’ve seen the SEC put in some guidelines on terms on not only reporting, demanding a certain level of subject matter expertise of the board level. Some people hate regulatory environments, but sometimes they are the carrot and the stick. How do you you think about the regulatory environment being an enabler or maybe a nuisance?
I like to dub it as is the ebb and flow of the of environments, right? So my role and my job as I see it and my priorities are to protect and defend. So now in the process of protecting and defending, what am I missing? How can I get better? I tend to see a lot of the regulatory acquirers that come in place is really to ensure that folks are adhering to not only best practices, but what are the best ways to protect and defend. So I find that if your strategy is one that is about creating a good foundation, optimizing that foundation, and then continuously improving that lifecycle, then you are doing that.
As regulatory requirements come and go based on what’s happening in the landscape and in the environment, if you’re keeping it up and you’re continuing to optimize and enhance what you do, you’re going to be just fine. My take is I’m usually very excited to work with all my regulators and examiners and folks that need to understand our environment. I really see the value in understanding approaches, understanding coverage, and of course, in how are we keeping up.
Because what was good yesterday might not be good today. Sometimes the things that were really bad can become better if we deal with them appropriately. I tend to look at things in a lifecycle process and feel that regulatory requirements and examiners are just part of that ecosystem that that we all have to again, that collaboration, right? It’s across the board. It’s not just with your partner, it’s not just with your peers, it’s also with the folks that are ensuring that we continue to work, deliver, execute within the guidelines that were mandated.
I think what the regulatory environment is also launching the role of the CISO as a key role. I remember way back in year 2000, Y2K, it launched a CFO as a critical member of the executive team and also at the board level having audit committees and all that. Now the regulatory environment is complex, and businesses are becoming increasingly digital, so the role of the CISO becomes an imperative and incredibly more important. There’s an evolution of the CISO, not just reporting to the board, but being board members. I know you’re very active and you’ve done a lot of work in that area trying to be member of the number of directors, directors groups and trying to break that that ceiling a little bit more into the role of the C-suite on the board, on board directors.
That’s it’s a great question. I started reporting whether it was my internal boards or external boards as a guest speaker since 2000 and well, and I can tell you that I’ve seen the requests for information about cybersecurity increase exponentially in the last 11 years, 11 or 12 years in this space. Right now, if your board is not talking about cybersecurity once a quarter are perennially there is something amiss. It is a key risk activity for organizations to really keep a pulse on.
Things are moving so fast that it definitely behooves not only understanding the environment that you’re in, but also what are the threats that are happening, because you need to have that context as well. Who’s coming after us? Why are they coming after us? Where are they coming after us? How many times have we seen them and what do they continue to do to try to infiltrate into our environments? And all of that’s changing extremely fast. I don’t want to bore you with too many details, but it’s no longer just about attacking computers, right? People are being part of these campaigns today. We’re all being targeted. So it’s one of those things that you have to look at holistically and it’s continuing to evolve. And that’s why I feel it’s important. It needs to be, as you mentioned, a perennial sort of discussion at the board leadership committees and of course, operating committees throughout.
29:47 Giving Back and Increasing Diversity, Equity, and Inclusion
Let’s shift to a completely different subject. You have always been big at giving back. How has that made you a better person? You’ve been a mentor to many. You’ve been part of organizations where you help the next generation scale. Please share a bit on your role and how important that is for all of us are becoming leaders in our own ways to show people that it is possible to get to new heights.
Thank you for that question. I think that’s one that is close and dear to my heart as I feel that, as someone said, it is better to give than to receive. As it pertains to sponsoring others and seeing others be successful, I couldn’t be where I am today without folks like yourself, Alberto and others. I mentioned Jim earlier. So many folks out there, like Ms. Crespo, in middle school, right, that they gave me an opportunity that that extended a hand because they saw something in me that maybe I didn’t even see in myself. In as much as I can share that and provide that others is something that is really close to the where I am as a person today, which is to say, how can I help more people be successful? Whether you choose to do cyber or not, is that sense of getting better and advancing that I feel is needed where we are.
We’re in an area today where, you know, diversity, the equity, inclusion and belonging are not just words anymore. It is a way of life. I can tell you that the organizations that I work with and work for are the ones with the best culture and the best appetite for folks just being collaborative are the ones that allow people to bring their authentic selves each and every day. I’m not going to say that it’s nirvana, but, you know, I think, as Tony Horton said, varieties the spice of life. I find that, you know, when you allow people to to come in and be themselves, great things happen, right? And I have to say that it’s going to be roses and butterflies every day. But, it’s par for the course and I feel that we’re making a lot of inroads. I’m super excited to continue to mentor, to push the needle and to make sure that minority women, underrepresented groups continue to be well-represented and also know that they have sponsors, they have allies. I want to say, this is a mission for me to continue to do that until I can no longer.
Yes, I know when we met through HITEC, we were actively working with the Hispanic community because we wanted to elevate and create that pipeline and inspire others to do that. One thing that at least when I was very involved with HITEC, for me, giving back was a huge component of the organization. I think the mentorship program, the fact that we wanted to prepare our own membership, be ready to go join boards and everything else. But that doesn’t happen without the leaders that emerge. Then the people want to follow. I think you’re being one of those that people look up to.
I really like the the concept of the ambassador- I think the DTCC is talking to you as potentially being an ambassador to the community, right? This is one of these things where they want to highlight some of their success and the fact that their leaders can help bring others to that to the level, right?
Yes, I know one of the first things I did here actually was have a conversation with Unidos as part of our ERG group and places like Alpha as well, just making sure continue to share our stories and specifically on how we can become sponsors, ambassadors to ensure people can see that, hey, yes you can. Yes we can. And continue to strive for your goals. Right. The sky’s the limit. Don’t think about the impossible, but make sure that I am possible.
34:08 Key Characteristics for Success
The last question I want to ask is what are the key characteristics for success as an individual? What do you see are the constant values or ways that you get defined? What do you think people should carry along with themselves in order to be successful?
I think the first one is really around personal. Please bring your authentic self to everything. I’m a big fan of skip level meetings and I start them with trying to learn about folks. “Tell me something that is special to you, key to you that I otherwise wouldn’t have known if I had asked you this question right now.” You’d be surprised how many people struggle with that. But once they open up, it’s a different conversation. I’ve found, you know, princesses, I’ve found baronesses. I found racecar drivers in my teams that I would have never known that these people were so exciting and amazing. Everybody has that question. So bring your authentic self to taught.
Number two has to do with getting feedback. Sometimes that critique is what’s going to make you better humans. Our eyes look outwards, so it’s really easy to see what needs to be fixed or help with moved along externally. When you ask for feedback, it’s giving you a view that you may not have of yourself, and it’s so important to request feedback. That’s one of the things I’m always keen on whether its my boss, my peer or somebody that works for me and sometimes even someone from the outside. “Hey, can you give me some feedback? What? What did you see here? How can I get better? What am I missing?” It’s all about understanding what your blind spots are. So those two are very personal.
I think the third one really is about our roles. Again, humans are very good at looking externally. Our eyes are facing outward at what needs to be improved. So how do you collaborate? How are you becoming part of the solution? That this is not a very specific thing, but it’s across the board. Bring that collaborative spirit into each of your conversations about how you can help, not just what you’re saying that needs to be helped or fixed or enhanced, but how can you enhance it and bring those ideas forward?
So I find that those three attributes are core to how I am as a person, as a leader, and I try to exhibit those all the time. Not perfect, but I’m always looking to get better. I think that there might be a fourth one. Their endeavor to get better every day.
A lot of that deals with empathy as well, right? Because what defines us here is the context. As we grow older. There’s two very important things, the context in our careers, in the context as we grow, we have more context with how we’re going to experience in the context, define us in a way that, you know, make us very, very unique. You have to be comfortable with your own skin, which is what you said, being authentic yourself, but also have empathy that as others come up they may have had different ways to get to where they need to be. But having that empathy and see how you could be of service, then, you know the rest is history.
Absolutely. That is one of one key strengths, whenever I get to introduce myself- as being an empathetic leader. It’s one of my four boxes that that’s close and dear to my heart because that’s part of that collaborative piece we just talk about, is that to really hone in and listen to others. So key.
Well, we have a lot of work to do, and you’re an emerging leader. You’re an established leader, but you’re emerging, you’re young, you’re going to go to new heights and really appreciate your multiple contributions to our industry and look for many, many years of partnership working together in and pushing and pulling up the next generation of leaders.
Yonesy, thank you very much for taking the time. I’m sure that you would inspire many, many people on the Forgecasts and maybe we’ll come back and see you in future episodes. So thanks again and I look forward to seeing you soon.
Thanks, Alberto. I’ll see you soon. And thank you all the folks at the Forgecast for making this happen. Have a good one.
Thank you, Yonesy. Take care.