The Stoic CISO with Nick Shevelyov, former Chief Security Officer of Silicon Valley Bank

Transcript

[00:02:20] Introductions

[00:02:20] Earl Crane: Nick, welcome to the program.

[00:02:21] Nick Shevelyov: Thanks for having me glad to be here.

[00:02:24] Cyber War And Peace

[00:02:24] Nick Shevelyov: The book came from a period of introspection about 10 years ago. And, I started speaking on the concepts of taking lessons from history and philosophy, and applying technology risk management. At conferences, People would come up and say you should write a book on this, and I never had the time. With lockdown, I decided I'm going to write book on this concept. I'm going to publish it, and I'm going donate all the proceeds' charity. And I've done just that. And so luckily it hit number one on multiple Amazon bestseller lists. And it's meant for business leaders who want to learn more about technology, and it takes storytelling from lessons in history and applies it at a high level to sound security principles.

[00:03:03] Nick Shevelyov: So hopefully, it's a win for a business leader to understand a little more about a very important topic. But also for security practitioners, leveraging the power of storytelling to communicate to your executives and your boards. Hopefully get you the budget that you need in order to defend the organization that you're missioned to protect.

[00:03:21] Nick Shevelyov: So, that's the background on the book, and it's available now on Amazon.

[00:03:27] How To Apply The Values Of Stoicism To Cybersecurity

[00:03:27] Earl Crane: I mentioned I wanted to get into stoicism as well, which I've learned a lot more about it from you as I've gotten to know you and I appreciate that. When we talk about the four principles of stoicism, these are wisdom, justice, courage, and moderation. I want to talk about how can we apply these? How do you apply these into your role as a cybersecurity leader? And maybe even starting with the fact, how you've stayed true to your values, even when you have a lot of competing forces.

[00:03:57] Nick Shevelyov: Where do we get our values? Well, typically we start off with getting something from our parents, right. And we learn those, and as we grow, and we develop this into adults, our values evolve and reflect what's meaningful to us. And hopefully you get to work at a company whose values reflect those of your own, and that creates long-term prosperity. And I've been fortunate for that in my career with Silicon Valley Bank. For me, I just had a childhood interest in technology and history and philosophy. And so I've always been true to those, and I've tried to weave those in to my profession. And so, how do we take lessons that worked 2000 years ago as Stoic philosophy and how can we apply them today in the modern age?

[00:04:45] Nick Shevelyov: And some of the principles that you and I have talked about Earl, one that Marcus Aurelius wrote about in his book Meditations, is know thyself, right? Who are you? What do you believe in? Why do you believe it? It helps you become a more authentic version of yourself, and true to yourself.That applies to digital risk management, technology and, cybersecurity. What are your assets? Do you know what they are? Are you validating your assets, with the right frequency and efficacy? What about the applications that you have? Do you know those both on and off prem? How about the data that you're hosting? In today's age we talk about data being the new oil. As a risk professional. I think of it more as the new uranium. It can provide great value, it can empower you, but mishandled it can create a toxic risk for organizations. And so these ideas that Marcus Aurelius wrote about in the school of Stoics, and later, and you can see it in the writing of Sun Tzu who likely wasn't one, one general but many generals writing over the course of time, about know thyself and know thy enemy, and you will win a hundred battles.

[00:05:55] Nick Shevelyov: And as a good security professional, you need to know what are you defending? Never paint a picture because the landscape is dynamic. So just be aware of the fact that only the paranoid survive and that the continuous validation of your controls, because the efficacy of controls degrades over time, the continuous validation with the right efficacy and frequency, in order to better understand the threat landscape that you're defending and then apply the appropriate bespoke security controls. All that is part of the journey of protecting an organization. Certainly not a destination but a journey where you're willing to learn and apply those lessons while sticking to your core principles in order to achieve the outcomes that you're looking for.

[00:06:42] How To Apply Courage While In The Role Of CISO

[00:06:42] Earl Crane: Let's go back to the some of the core concepts in stoicism, and I'm drawn to the idea of courage. And when we think of the definition of courage it's going into something that could harm you, but knowing that you need to do it anyway, right? It's courageous when you can see the possible negative outcomes. And so let's go back to talking about how you're making those risk-based decisions.

[00:07:06] Earl Crane: Where have you needed to apply courage in, maybe it was dealing with a vendor that you said you couldn't go forward with, or maybe it was tackling a challenge that you knew that would be particularly difficult. How do you apply the concept of courage in the role of a CISO?

[00:07:24] Nick Shevelyov: Let's just say a vendor might have a strong relationship with the bank, and really, really wants to sell to you, and you consider them and maybe their technology wasn't a fit for you at that time. And then you say thank you, but we're not going to go with you. That might impact the sales relationship, right? And then there might be a dynamic where hey we might lose this client if you don't choose their technology. Well, that's where your intestinal fortitude has to come in, right?

[00:07:56] Nick Shevelyov: That salesperson that will be on the line with you at two o'clock in the morning when there is a breach because you in part chose the wrong solution for the wrong reasons for the organization. You know, Fortunately SVB is a values based organization, and you can talk to folks and say, Hey, you know what? We made the right decision for the bank's security outcomes. It wasn't necessarily the best decision for the sales relationship. But this is a long-term play. We're thinking about the long-term resilience of the organization. And you have to communicate and explain why I think that you want to have relationship where you explain, you know, we didn't choose you, but here's why we didn't choose you, here's what we're going with. Maintain the relationship. Hopefully it remains and understand that an investment today in a security solution is not forever. And sometimes if you don't partner today, you might partner a few years from now and maintaining the relationship, treating each other with dignity and respect, I think is foundational.

[00:08:55] Applying Wisdom In Cybersecurity

[00:08:55] Earl Crane: I want to go back and talk about wisdom. That when we look at the difference between wisdom, and knowledge, knowledge is something that you can acquire, and you can know, but wisdom is the ability to see what could happen if you take or don't take certain actions because you've seen those before. Can you share any stories, since you've had a long time at the same organization, where you've started to see patterns emerge and how you've been able to apply that in your cyber risk leadership?

[00:09:28] Nick Shevelyov: It starts with an exercise of introspection. Look at yourself in the mirror first and foremost. What are your values? What do you believe in? What are your reactions to certain occurrences? Step out of yourself and observe yourself how you react and what those instincts are. Is that reflective of the person that you want to be?

[00:09:47] Some of the things I've learned is, and I'll paraphrase Charlie Munger. So everyone's heard of Warren Buffet. Warren Buffett's older senior advisor, Charlie must be past 95 at this point. And he has a saying, He says, show me the incentive, and I'll show you the outcome. And so human incentive is at the root of so many of our actions. Who benefits and who pays. And so how can you align organizational incentives in a way that lead to better risk management outcomes? This applies to cybersecurity, but it can apply to how you do sales leads. And, how do you align a salesperson's goals to the values of the organization and the business outcomes that you're looking for?

[00:10:33] Nick Shevelyov: So, aligning incentives effectively through an organization. Understanding that we're all human beings and at the end of the day people will think about what is my incentive? What's the best outcome for me? And come up with a model that is, sort of, contextually aware of human incentive, and factors in the outcome that you're looking for in an organization.

[00:10:55] Applying Justice In Cybersecurity

[00:10:55] Earl Crane: Let's talk a little bit about justice. And so when we look at the principle of justice, it's the issue of, not just fairness, but it doesn't mean kindness. I mean, there's things of tough love as well. Do you have any bits of insights on when you've needed to think of and making a risk-based decision or something in your history from a justice balanced perspective?

[00:11:23] Nick Shevelyov: The word accountability comes to my mind. You want to build teams where people have an ability to grow and deliver and have a sense of purpose and meaning. And most of the time that'll work out. Every once in a while, things might not work out the way you hoped.

[00:11:41] Nick Shevelyov: And holding people accountable, right? Giving people a second chance, but holding them accountable for the decisions that they make. And whether you're following a policy or procedure, or a very specific set of requirements is that we're all adults, we're all professionals we're working together, and we have to hold each other accountable.

[00:12:00] Nick Shevelyov: And we're able to do that. That's a win-win and when we can't do that, then that's where accountability comes into place.

[00:12:06] Knowing Yourself And Asset Inventory

[00:12:06] Earl Crane: So when you were in, because you shared this with me earlier, when you were earlier in your career, and you had some challenges with, asset inventory, and you learned a lot from that, can you share a little bit more about that?

[00:12:21] Nick Shevelyov: I, started off my career in technology, quickly started trying to solve for what we called IT security problems back in those days. Ended up at a boutique security consulting firm that did work for government agencies and, you know, the mission was to do sort of attack and pen work, break into networks, but then harden them.

[00:12:41] Nick Shevelyov: And managing this team of highly technical folks. We had hardened an environment and thought we knew the assets that were in place that we were protecting, and this was 20 plus years ago. My failure was I had not really thought through the process of continuous validation of those resources.

[00:13:03] Nick Shevelyov: And lo and behold, a group of developers onboarded some applications, those applications had vulnerabilities. And those vulnerabilities were actively exploited by a self-propagating worm. And so if you ever dealt with self-propagating worms, they move at machine speed. They'll infect an asset. And then they begin, sort of, spraying and praying to infect other assets that might have the same vulnerability. The environment that I was charged with protecting with had a small infection because a small group of assets were vulnerable to this security exploit.

[00:13:41] Nick Shevelyov: But, the process of trying to self-propagate on the network created what's known as a broadcast storm and effectively rendered routing non-available and so the systems and applications were not available to the end user. What did you learn from that? What was the take away from that? And so the takeaway, going back to that principle we talked about, is know thyself and never feel comfortable with knowing thyself. Establish processes and procedures within organizations that continuously monitor what is the state of the environment. And continuously challenge the logic that you've put into place to continuously refine it and have a greater degree of efficacy and having the right frequency.

[00:14:33] Nick Shevelyov: Never be comfortable with your asset inventory. Constantly be probing and seeing do you have the right set of assets? Do you understand the procurement process where you're adding assets? Do you understand the vendor management process where you're depending on a vendor? Do you know who your vendors depend on?

[00:14:51] Nick Shevelyov: Right. You need to never paint a picture that is static, right? So I talk about this in book. Napoleon, arguably the greatest battlefield tactician in history, had a saying about never paint a picture of the battlefield, it's too dynamic.

[00:15:10] Nick Shevelyov: Be aware that there's constant change and so establish processes and principles that you're continuously monitoring for that battlefield, and have contingency plans when things go bump in the night.

[00:15:24] And if you're part of a growing healthy organization, it's growing and contracting, but mostly growing. And it's changing, and you have little subtle nuances like this application has been sunset. Well, what does that mean? To the developer, it just means maybe they're just not using it on a day-to-day basis. But what if that application is still online? Well from a security professional, that's very much an attack surface.

[00:15:54] What Values Are Important For A New CISO

[00:15:54] IEarl Crane: f you could take a moment and talk to a new CISO or a CISO that's rising into a position. They just got this position. And so they may have imposter syndrome. What advice would you give to them? What do you think are the most important values to internalize as a cybersecurity leader?

[00:16:16] Nick Shevelyov: Some of the ones that we've talked about is, being an authentic individual, speak with transparency, have empathy for others, understand everyone has their own unique situations and needs.

[00:16:28] Nick Shevelyov: As you're building a team, be a servant leader. Hire and develop leaders who want to develop other leaders, right. I very much like, the mindset that the pie is growing, right, and it's not a zero-sum game. And how can you organize your teams so that you create win-wins as organizations prosper and grow. And at the end of the day, you have to be able to look at yourself in the mirror and say, were you true to yourself, were you true to your values?

[00:17:00] And I think if you can say yes to those things that leads to happiness. If you're happy at home, you'll be happier at work. And if you're happy at work, you'll be happier at home. And it creates this compounding effect of happiness, meaning, prosperity. In fact, there's a book called The Happiness Advantage, that I highly recommend, out of Harvard Business School that talks about that, and factoring in a touch of levity and mirth in a very serious profession that creates happiness and the right outcomes that you're looking for.

[00:17:34] Earl Crane: You're not going to find too many people talking about the need for happiness in cybersecurity, but what can support you in those long hours and stressful decisions is the fact that you're guided internally by your intrinsic values to make sure you can still sleep at night.

[00:17:53] Sign Off

[00:17:53] Earl Crane: Appreciate it. Thank you for joining us today. Nick is the outgoing chief security officer Silicon Valley Bank, wrapping up 14 years but certainly not the end of his career. Now starting as a bestselling author number one in his new book Cyber War and Peace available today on Amazon.

[00:18:14] Earl Crane: Nick, thank you so much for taking the time.

[00:18:17] Nick Shevelyov: Thank you, Earl.