Nick Shevelyov Will Bachman
Will Bachman 00:01
Hello and welcome to Unleashed the show that explores how to thrive as an independent professional. I’m your host will Bachman Unleashed is produced by Umbrex, you can visit email@example.com. I’m here today with Nick shovel UAV, who is the author of cyber war and peace. His over two decades in cybersecurity, he was the chief information security officer at Silicon Valley Bank. Nick, welcome to the show.
Nick Shevelyov 00:28
Hey, well, great to be here. Thanks for having me.
Will Bachman 00:31
So why don’t we start by just giving me a quick recap of your career and how you came to write this book?
Nick Shevelyov 00:39
Sure, thank you. So started off my career in the mid 90s in technology, working for a real time provider of financial data, and went on to manage a technology shop processing credit cards, and I noticed that people were trying to steal our credit cards. And so I wanted to double down on what we called it security and I went to work for a boutique security consulting firm. And from there, I thought this is fantastic. I’ve got a great technical background in cybersecurity, but I want to double down and understand more holistic risk. And so I spent a number of years at Deloitte working in Enterprise Risk Services specializing in cybersecurity and data privacy. And then 15 years ago joined Silicon Valley Bank as the chief security and chief privacy officer, Silicon Valley Bank banks, the innovation economy and became a global publicly traded financial institution. During that 15 year tenure, I became CIO to help launch the public cloud adoption and agile software delivery. And then my last two years where I was the chief information security officer. So over the course of that 15 years always accountable for cyber risk. And so I spent a number of years speaking in conferences how we need to learn from, from lessons from history and behavioral science people said you should write a book about it, I never had time. So in lockdown, I wrote cyber war on peace building digital trust, today with history as our guide, and decided to be a great capstone for my career at SVB helped hire my successors. And I left the bank on my 15 year anniversary this past May and started working as a fractional CFO and executive advisor for companies on cyber risk.
Will Bachman 02:27
So I always, I’m always have tremendous respect for business executives, who are an avid readers of history or literature or, you know, culturally educated. And it sounds like from you know, for this book, that you’ve been a student of history, tell me about some of the areas of history that you have kind of delved into, that you drew on in writing this book, any particular books in particular that you recommend?
Nick Shevelyov 03:01
Yes. So, you know, one of the quotes in the book is, you know, those who are, don’t know history are doomed to repeat it, right? And so how can we learn not just from our mistakes, but from the mistakes of others and the insights from others. And so I take the reader through, you know, you starting off from antiquity, the Romans had a saying those who wish for peace, prepare for war. And one of the first chapters is around ancient Babylon and the code of Hammurabi and ancient Babylon was building an empire, but they found that had fundamental architectural challenges. And so Hammurabi, who was the emperor at the time, wrote a series of codes, one of which said that, if you build a building, and it collapses on people, that will be your fate, as well. And he got skin in the game, he got incentive. And he got people to care about architecture, and several hundreds of years later, that contributed to what was known as the Hanging Gardens of Babylon, one of the ancient wonder, one of the wonders of the ancient world. And so the lesson there is when we build technology, we should be thinking about architecture, first and foremost. In a way, cybersecurity, is technology done correctly, right. And so if technology is here to enable business outcomes, you know, how do we build it correctly and safely and so, the book walked through various insights and chapters throughout history, and it ties it to foundational principles in cybersecurity. And for those who are more technically inclined, I link the principle to the National Institute of Standards and Technology, critical security framework On the end, so you kind of connect the dots on how do you start off with a sound foundation? How do you think about architecture. Another chapter talks about how to 300 Spartans hold off a million man Persian army well, they pick their battles, and they manage their attack surface. And 300 soldiers are able to hold off a million man army because they fought in a very narrow space called the hot gates. And in cybersecurity, we do not want to have a broad attack surface. We don’t want a tail that our attackers hit us from any place. And so we want to architect our defenses, so that we’re managing these, these attack surfaces effectively. And it goes on to the principle of Know thyself, the philosophers of antiquity, those who practice stoic philosophy, talked about Know thyself, first and foremost. And there’s a chapter that talks about Know thy inventory, Know thy applications know that data. And it ties in well with some Sue’s concept of Know thyself and Know thy enemy, and you’ll win 100 battle. So those are some of the ideas in the book and you kind of walk through various key chapters. And it culminates with the Trojan War and how the Trojan War lasted 10 years and ultimately, the, the Greeks got into Troy by planting the Trojan horse and the Trojans are brought that in, and then they broke into the city walls that way. And ultimately, organizations today introduced Trojan horses into their organizations all the time, if they don’t do third party risk management correctly if they don’t manage their defenses as well. So those are some of the ideas and principles that hopefully can translate well to business executives.
Will Bachman 06:56
For you, personally, have you always been an avid reader of history? Are there certain periods that appeal to you? It sounds like you’ve drawn a lot on the ancient Greek and Roman period.
Nick Shevelyov 07:10
You know what I have been, you know, luckily enough, as a kid, I became a super avid reader. And today, I read hard copies. I listened to audibles, I listen to podcasts. And it’s a great source of fun for me, it’s a treat to read books. And so yeah, I mean, I love reading about ancient Greece and Rome, but also the periods of the Renaissance, the Napoleonic Wars, the last 100 years. There’s something to learn from all from each of these periods, and I touch upon the Napoleonic Wars quite a bit in the book, arguably one of the greatest tactical minds in history. Some of the lessons from the Polian are drawn upon in the book as well, and specifically around the Battle of Waterloo. But there are also interestingly, some chapters around Trafalgar. And if you go to the city of London, and you go to the geographic center, there is a monument of four lions, and there’s a pillar and at the top of the pillar stands, a statue of Horatio Nelson, who was a great naval commander, who defeated Napoleon’s Navy at the Battle of Trafalgar, and prevented Napoleon from invading England. And so one of the lessons there is that the English were able to fire three cannon ball for every one cannon ball, the French fire, and that’s because Admiral Nelson drilled a lot. So they practiced a lot. They were always exercising while the French did not. And before the end of his life, he was asked, What’s the secret to all of your Sass success? And Admiral Nelson replied, always having been prepared one quarter of an hour beforehand. So the lesson for the reader is practice, practice, practice, your resilience in response. And so kind of back to your original question Will is Yes, I am an avid reader, I love history, but I also love technology. And so combining that with philosophical insights, I’ve woven all that into the insights from the book.
Will Bachman 09:32
So you’re sitting down with an executive at a company who perhaps has read your book, not a cybersecurity expert. Everybody’s always a little concerned about this, maybe they’re a lot concerned. What are some of the questions that you’re going to ask that person to get a sense of their current posture and their current level of preparedness of their company?
Nick Shevelyov 09:58
Yeah, you know, I raiment. As a start, as they say, for example, you were someone that you cared about. And the person that you cared about said, hey, look, I’m not feeling well. So my plan is to go to a drugstore, buy 50 different drugs and take them in various dosages at various times and see how I feel, you’d probably say, Stop, don’t do that, you should go see a doctor. Then if you went to go see a doctor, and the doctor didn’t ask you any questions, didn’t conduct any examination, didn’t even give you a diagnosis. And they just said Here, take these five drugs and see how you feel and come back in a week, you’d say, well, that’s medical malpractice. And so the way I kind of try and frame it for business executives is that we need to spend time listening to what are the preexisting conditions? What’s the age of the company? What’s the existing investment? What are the business outcomes that you’re looking for? What’s the three year headline for your organization? How do we work backwards with shared objectives and key results to achieve those outcomes? And how can technology support those business outcomes? And what are the risks? And that if you can think of that Z shaped relationship with the Z connects to the line connecting the to the Z? That’s the risk that they’re in? And how do we find? What are the unique risks facing your organization? And so understanding what’s the value at risk? Right, what kind of data that you have? What’s the value of the data? What’s the volume? What’s the variability? What’s the? What’s the veracity of the data that you have? So understanding and dimensionalizing, the value at risk? And then what are the business processes impacting that? And what sort of layers of control that you have, because you’re ultimately managing your uncertainty on that. And so coming up with a bespoke model for an organization, based on their business profile, based on their business outcomes, and the risks associated with that is sort of the journey that I like to have a discussion with business leaders on.
Will Bachman 12:16
So that’s a helpful outline. Can you tell me? Is there a kind of standard diagnostic you would do? Or what’s the next level behind behind that overall kind of high level view? Is there a kind of a structured process that you would go through to do a diagnostic to understand the current state?
Nick Shevelyov 12:38
Sure, I would take a commonly accepted framework. So let’s take the National Institute of Standards and Technology critical security framework, and let’s measure the organization against that framework, and understand where the gaps are. So you find certain gaps with that. And then you think about another framework is the mitre attack framework, how do attackers think about attacking organizations? And based on your gaps, and where are you susceptible to those types of attacks, and then another dimension would be the OWASP, top 20. So the this is how, what sort of vulnerabilities do your applications have. And then that gives you a dimensional risk perspective. And depending on the environment, you can do vulnerability scans, you can do pen testing work, you can do application security assessment work, if you’re a lot of companies are in AWS today. So you can leverage more tactical conformance checks where automatically you can compare yourself to these different frameworks. So it’s using the right horses for the right courses at the right time, in order to assess your organizational CYBER HEALTH. Does that make sense?
Will Bachman 14:00
It does. Tell me a bit about the criminal business world today of the hackers. And my sort of just general level of knowledge understanding is that it might have been somewhat disorganized a couple decades ago, of individual, opportunistic people doing it. But today, there’s just the whole kind of, you know, criminal industry where people would get promoted over time and their standard roles and, and maybe firms doing this. And I don’t even know if there’s a, you know, criminal underworld version of LinkedIn where people would post job opportunities and so forth. But just give us a little bit of insight into that into that world.
Nick Shevelyov 14:49
Yeah, you know, we all know Warren Buffett Warren’s I think 98 year old best friend Charlie Munger has a phrase that he lives by Show me the incentive. And I’ll show you the outcome. So, you know, we’re running businesses here in the United States and globally. And they’re and they’re sort of the economy at scale. But there’s a dark economy, there’s a, there’s a black market of criminals who have, over the course of time, built their own industry. And so it’s sort of hacking as a service, where they will attack organizations steal data, dark, sell it on what’s known as the dark web, which is sort of a criminal, internet. And it’s very much become operationalized, where you become a victim of an attack, whether it’s a ransomware attack where malware is deployed on your network that locks up your systems and applications. And a ransom is demanded that you pay or you lose your data. And so this is happening every day, every moment, it’s on the cover of The Wall Street Journal. And so there are different countries around the world, who don’t have our interests at heart and view us as a target. And this, again, is not new, right? This has happened throughout history, if you think about 1492, the New World, quote, unquote, is discovered. And the Spanish begin to prosper, and transport goals to the old world. And so the British took license and a lot and sold licenses for pirates to be able to attack the Spanish and steal that gold, and that was private terrorism. And so this kind of is what’s happening is that foreign governments unfriendly to the US are allowing and even encouraging and supporting hacking of US and Western company, Western companies and countries. And so there is a hot war in the cyberspace that’s ongoing.
Will Bachman 17:06
And give us any insight you have into that world in terms of, you know, is there like a career path for criminals, they would start out as a, you know, an associate hacker and they get promoted to senior associate Engagement Manager hacker or like Vice President, I mean, like actual companies that are doing this with just they go to the job nine to five, and they work on hacking, and there’s probably, you know, a salesperson who’s selling the services of these hacking firms like, what’s the I have no insight at all into this world? I’m curious what you’ve seen kind of trying to monitor it from the outside.
Nick Shevelyov 17:41
Yeah, there are aspects of that where you start off as an entry level analyst and one of these organizations, and then you can grow over the course of time. They have they publish on the internet, how they celebrate and reward their employees, how they, you know, sell malware as a service, again, malicious software that’s intended to do harm. And you see these different phases where the last few years ransomware was very big news. And you saw the impacts, they had Colonial Pipeline where the East Coast, the oil was impacted from that attack. And now you’re seeing a shift with the war in Ukraine is the a lot of the Eastern former Eastern Europeans, Soviet Bloc countries. They’re targeting there, they’ve shifted their attacks to target the Ukraine. And so I think in a lot of ways, cyber risk is a reflection of geopolitical risk. And today, we have a high degree of tension greater than the past. And then you have other nation state actors who sponsor the acquisition of intellectual property through hacking. And so over the last 1015 years, you’ve seen a huge amount of us intellectual property being stolen by foreign threat actors. And so yeah, there’s an industry to both attack do harm and extract data out of our country and other Western countries. And it’s an ongoing struggle that organizations just need to be aware of is one of the costs of doing business.
Will Bachman 19:29
Mentioned Ukraine. What’s been the impact there of Russian hacking? At least some things I’ve seen on Twitter suggest that it’s been a little bit of a dud in terms of or less impact than then people had feared. Maybe that’s just because Ukrainian defenses were very good, but give me the actual scoop on that.
Nick Shevelyov 19:55
Yeah, in anticipation of the war, there was a lot of fear or it would unleash a cyber Armageddon. And it didn’t really come to fruition. A, I think that in a lot of ways organizations are better positioned today than they were in the past. But be, you know, maybe our adversaries didn’t have quite the capabilities we thought, and see, they targeted a lot of their energies towards the Ukraine. So knock on wood, we’re not necessarily experiencing a higher degree of risk and cyber as a result of that geopolitical risk. At the same time, the idea of only the Paranoid Survive continues on right is you can never think that you’re safe. You all again, those who wish for peace prepare for war, you always need to invest in the right hygiene and risk posture in case things change drastically.
Will Bachman 21:03
Talk to us a bit about the consulting services that you’re offering now, the type of project work and advisory work that you do, since you’ve left your role as the Chief Information Security Officer at Silicon Valley Bank.
Nick Shevelyov 21:17
You know, for years, I, my job was to defend the fastest growing bank in the United States now a large financial institution, one of the top 12 In terms of asset size, and that was a great sense of pride, and accomplishment. But I also I had, my part of my job was to help innovators and entrepreneurs all over the world and improve their probability of success. So I got to know some of the coolest companies in the world. And so what I wanted to do is I left us up is to spend about part my part of my time as a fractional chief information security officer. So I help non security companies improve their cybersecurity posture, again, taking that physicians approach, listening, learning, and then advising based on certain prescriptions. And then about half my time being a CEO whisperer, helping security product company CEOs improve their probability of success, helping them evolve their products, and evolve their go to market strategy. And so I’m working with a variety of different clients in that capacity.
Will Bachman 22:22
Talk to me about the role of fractional CFO or chief information security officer, what you discuss sort of your doctor type of approach of understanding the patient. What, what’s that look like to be fractional seaso? And how much time commitment? Would it be? What do you what’s kind of how are the phases? As mentioned, you start with a diagnostic effort, but then what’s that involved in to what are some of the typical, like, efforts that you would work to implement?
Nick Shevelyov 23:00
Sure. To the point that we talked about, well, it’s spending a little bit of time to understand the current state understand the history of the organization, the technology investments, what’s what’s the business strategy, right? Is it growth? Is it cloud adoption? If cloud adoption has occurred, as a single cloud is a multi cloud? In a lot of cases, you want to have one cloud presence, but multi cloud chooses you through growth and acquisition. And it’s just foundationally. Know thyself know the assets, know the data know the investments and services? And what business outcomes are you looking for? And then coming up with a plan on? How do we begin to improve our posture? For example, a lot of companies jumped into the cloud into AWS, for example. And so working through say, Okay, let’s take a conformance check view of how our posture looks like compared to a commonly accepted Best Practices taxonomy, identifying the gaps beginning to remediate those gaps. And then do root cause analysis. What are the five why’s on how we got here? And how do we gradually evolve processes so that we don’t re reoccur and, and create the same security risks that we had in the past? And then evolve, going from tactics to strategy and from strategy to logistics to help an organization improve that posture and then reassess? Did we improve, right? We can’t, we can’t really manage something we don’t measure and I would argue we can’t measure something we don’t know how to manage. And so building a culture of measurements that you help understand, are things getting better or still things staying the same or things getting worse. And why right and doing root cause As analysis is on that, and so that’s the approach I’ve taken. And this approach, I think works well whether you’re a legacy on prem environment, or you’re a five year old company that’s 100% in the cloud, these principles are applicable and provide valuable insights. So that’s the approach that I take.
Will Bachman 25:20
What are some of the common issues that you identify when you’re identifying these gaps? What are some of the more common things that you see?
Nick Shevelyov 25:31
Common things are, you know, the road to hell is paved with good intentions, right? We build fast, we want it to grow. But we don’t know what our assets are, we don’t know what our data volume is, and where it is we, we don’t have fundamental controls in place, we, we think we have a protection airy measure in place, but it’s not 100% deployed, we do have multifactor authentication in place, but it’s not 100%. Only 50% of our users use it. And so these, these holes exist. And I kind of talked to my clients about you know, white swans are known unknown risks. Right, gray swans are known unknown risks. Black Swans are unknown, unknown risks. And then there are the red swans, red swans are known knowns that just aren’t so and those are the ones that really burn organizations where, you know, you know about the various risks, you’re working on them, and then you think a control is in place, and you think it’s working. And then you realize, and hopefully, you realize, before anything bad happens, that the control actually is not working, or not working as intended. And so this is where the discipline of continuous sort of evaluation of your risk posture comes into play. And I aspire to help organizations help themselves develop good processes in good hygiene that result in better outcomes.
Will Bachman 27:13
And what would an just given us example of pick one potential one client you may have served? What would the process then of implementation over time? So now you’ve identified some of these issues? What would the, you know, give us an example of a timeline and the actions that you take or that you help the team take by either hiring the right people? Or how do you actually go about addressing some of these?
Nick Shevelyov 27:42
Yeah, is helping them build a security program bespoke for their needs, right? The right horses for the right courses at the right time, if you’re a big organization with a legacy environment, you might need help, you know, creating some job descriptions to address some of your current and future risks. If you’re a fast growing organization that has adopted cloud, maybe you don’t know about all the features and functionality that are available to you. So helping the diagnosis that I talked about the examination, and then coming up with a timeline. And in some cases, I’ll spend 90 days with the client to create that self assessment. And then we’ll do the next three to six months to actually remediate those issues. And we’ll do, we’ll come up with a project plan and then we’ll track against the project plan. And we’ll create tickets for development teams to work on a backlog to remediate vulnerabilities that we find. And we establish controls, and then we re measure how did we do? And I use in sort of the dev SEC ops world, which is software development paired with operations paired with security. I use baseline objectives and optimization measurements. And these define measurable objectives to gauge whether your security program manages risk effectively, in a dev SEC ops world, and the five baselines are what’s the survival analysis? How long do risk events exist in our environment? What are the burndown metrics? Are we reducing existing risk faster or slower? month over month? What’s the arrival rates, number of new risks, for example, security vulnerabilities entering our environment? And what’s the wait times the time between arrival or risk causes and risk remediation? And finally, what’s the escape rate? What’s the number and types of risks moving from our DEV environment and to prod or production environment? So those are some of the common frameworks that I use, but also building key performance indicators, key risk indicators. I managed hundreds of those at the bank but that might not be applicable to all organizations, you might want to have a subset of that. You might want to have a crawl, walk run approach where you start measuring things and the first half of the year, but then you add to those measurements in the second half. So those are some of the more bespoke approaches that are usable.
Will Bachman 30:17
Fantastic. Nick, if someone wants to follow up with you find out more about your practice your firm, where would you point them online?
Nick Shevelyov 30:27
Sure, Nick cheveldayoff.com and ickshelyov.com, or email me and sh firstname.lastname@example.org. And I look forward to hearing from you and seeing if there’s a way to work together.
Will Bachman 30:48
Fantastic. Nick, thanks so much for joining today. It was great, you know, hearing about your book and about your practice. And we will include those links in the show notes.
Nick Shevelyov 30:58
That’s great. Thanks for having me. Well.