In this week's episode Dr. Crane speaks with Nick Shevelyov, former chief security officer of Silicon Valley Bank and author of Cyber War and Peace, about staying true to your values and applying the principles of Stoicism, wisdom, justice, courage and moderation, in the context of information security leadership.
Nick is wrapping up over a 14-year rise at Silicon Valley Bank. As the security leader, banking the world's most innovative companies, SVB provides diverse financial services, global network and world-class service with over $150 billion in total assets, and more than 3,500 employees.
Nick also recently released a new book that artfully combines the philosophy of stoicism and information security in Cyber War... and Peace. Today, I'm talking with Nick about how he meets the challenges of the demanding customer base and how he uses the concepts of stoicism to help him serve and protect his customers.
In this episode:
00:00 — Welcome
02:24 — Introductions
02:28 — Cyber War And Peace
03:34 — How To Apply The Values Of Stoicism To Cybersecurity
06:42 — How To Apply Courage While In The Role Of CISO
08:53 — Applying Wisdom In Cybersecurity
10:51 — Applying Justice In Cybersecurity
12:00 — Knowing Yourself And Asset Inventory
15:40 — What Values Are Important For A New CISO
17:36 — Sign Off
Nick Shevelyov:
Website — https://www.nickshevelyov.com/
Cyber War... And Peace — https://www.nickshevelyov.com/the-book
Links in this episode:
The Happiness Advantage — https://www.shawnachor.com/books/happiness-advantage/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/010-the-stoic-ciso-with-nick-shevelyov
In this week's episode Dr. Crane talks to Mike Wilkes, formerly the CISO at Marvel Comics, about keeping Iron Man safe and digital media security.
Mike is the chief information security officer at Security Scorecard, the global leader in cybersecurity ratings, and the only service with over a million companies continuously rated. Previously he was the CISO at the American society of composers authors and publishers or ASCAP and Marvel entertainment.
He has built transformed and protected companies such as AQR capital, CME Group, Sony, Macy's as well as other European banks and airlines, a graduate of Stanford University and author of a book for Cisco Press in 2002. He's a featured speaker at technology conferences and is a professor at NYU teaching cybersecurity courses. He's also on the board of trustees for the national jazz museum in Harlem.
This episode was recorded when Mike was the CISO at Security Scorecard, he has since moved on from this position.
In this episode:
00:00 — Welcome
02:00 — Introductions
02:21 — Data Classification
03:50 — Document Management
05:21 — Marvel Security
06:38 — What Does Marvel Excel At In Information Security
07:55 — Tribal Knowledge For A New CISO
09:29 — Heraclitus
10:23 — Hackers
11:18 — Hacking Story
13:17 — Lessons For CISOs On Hacking And Experimenting
14:40 — Advice For New CISOs Starting a Team
18:52 — Tips For Companies Looking To Improve Security
22:24 — Sign Off
Mike Wilkes:
LinkedIn — https://www.linkedin.com/in/eclectiqus
Links in this episode:
The Security Chaos Engineering Book — https://www.kellyshortridge.com/book.html
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/009-keeping-iron-man-safe-with-mike-wilkes
In this week's episode Dr. Crane talks to Yiannis Pavlosoglou about Resilient Systems.
From supply chain shortages to natural disruptions from changing weather patterns, it seems everything today needs to operate while under some type of duress or attack. But what do CISOs need to know to create resilient systems? And what can we learn from other CISOs who've already gone down this path?
NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. That's a mouthful, but what does it actually mean to have to build a resilient cyber program to drive the change management necessary to build that type of program, to put in place the governance processes and procedures necessary.
To discuss this and more, who better to talk with cyber resiliency and governance than Yiannis Pavlosoglou. Currently, the Founder and CEO at Kiberna, and most recently, the CISO for UBS in the UK.
In this episode:
00:00 — Welcome
02:42 — Introductions
03:35 — What Is Resilience?
04:08 — What Works?
05:37 — CISO as a Change Agent for Resiliency
07:07 — Challenges Driving A Resilient Organization Forward
08:47 — Where To Look To Build Resiliency
11:01 — Challenges To Building Resiliency
12:20 — The Role Of The CISO In Leading Cyber Resiliency
16:11 — Tools For Building Resiliency
18:29 — What To Do Once You Have A Set Of Risks To Tackle
19:45 — References
21:14 — Sign Off
Yiannis Pavlosoglou:
LinkedIn — https://uk.linkedin.com/in/yiannisp
Kiberna — https://www.kiberna.com
Links in this episode:
Operation Resilience for UK Financial Bodies — https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
FCA on Building Operation Resilience — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
CERT Resilience Management Model — https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30375
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/008-resilient-systems-with-yiannis-pavlosoglou
In this week's episode, CISOWise guests such as Mike Wilkes, former CISO for Marvel, Nick Shevelyov, former Chief Security Officer for Silicon Valley Bank, and Tim Brown, CISO of SolarWinds, talk about failure, culture and keeping your sanity in cybersecurity.
In this episode
00:00 — Welcome
02:35 — Alan Levine On His Single Biggest Technology Failure
05:41 — Tim Brown On Advice For CISOs Potentially Facing A Large Incident
07:17 — Yiannis Pavlosoglou On Shortcomings Of No Resilience
09:55 — Mike Wilkes On Having A Social Contract With Your Team
11:12 — Brandon Hines On Example Of A New CISO Misaligned With The Organization
13:52 — Mike Wilkes On How Has Marvel Maintained Security Standards For So Long?
15:30 — Nick Shevelyov On Advice To A New CISO Dealing With Greater Responsibilities
17:26 — Brent Maher On What Works In Engaging Business Units With Strategy
19:13 — Joe Robinson On Not Taking Business Decisions Personally
20:11 — Outro
Alan Levine:
LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a
CISO Street — https://www.cisostreet.com/alan-levine/
Tim Brown:
Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/
LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/
Yiannis Pavlosoglou:
LinkedIn — https://uk.linkedin.com/in/yiannisp
Kiberna — https://www.kiberna.com
Mike Wilkes:
LinkedIn — https://www.linkedin.com/in/eclectiqus
Brandon Hines:
LinkedIn — https://www.linkedin.com/in/brandonjhines
Nick Shevelyov:
Website — https://www.nickshevelyov.com/
Cyber War... And Peace — https://www.nickshevelyov.com/the-book
Brent Maher:
LinkedIn — https://www.linkedin.com/in/ciso-brentmaher
Joe Robinson:
High Peaks Solutions — https://highpeakssolutions.com/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/007-failure-culture-and-keeping-your-sanity-in-cybersecurity
In this week's episode Dr. Crane talks to Brandon Hines about building your cybersecurity team and culture, from your first to your hundredth hire.
Brandon Hines, the vice president of security at Dimensional Fund Advisors, has spent over 14 years establishing and growing a cybersecurity program and continues as a senior leader. Brandon has deep experience in hiring and then managing an effective cybersecurity team.
In this episode:
00:00 — Welcome
01:33 — Your First Hire
02:53 — Brandon's Method for Hiring
04:27 — Mistakes And Red Flags In Hiring
05:28 — The Importance Of Training
08:25 — Gaining Insights From Business Units
10:38 — Assessments
11:58 — Weighing Consistency In Assessments With Diversity Of Assessments
12:52 — The Value Of A Security Framework In Maintaining Consistent Assessments
14:08 — What To Look For When Hiring A Third Party For Assessments
16:24 — Dangers Of A “Brittle” Third Party Assessment
19:03 — Sign Off
Brandon Hines:
LinkedIn — https://www.linkedin.com/in/brandonjhines
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/006-your-first-100-hires-with-brandon-hines
In this week's episode Dr Crane talks to Brent Maher, former CISO Johnson Financial Group, about the human element of phishing and communicating value to stakeholders.
This episode was recorded when Brent was CISO of Johnson Financial Group. He is now the Chief Technology Officer.
In this episode:
00:00 — Welcome
01:14 — Introductions
01:18 — What Works? What Doesn't?
02:28 — Successes In Mitigating Phishing
03:41 — The Human Element Of A Phishing Program
06:20 — Getting Approval For A Phishing Program From Executives
08:32 — Challenges In Implementing A Phishing Program
11:24 — Sign Off
Brent Maher:
LinkedIn — https://www.linkedin.com/in/ciso-brentmaher
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/005-developing-a-phishing-awareness-program-with-brent-maher
In this week's episode Dr. Crane talks to Alan Levine about his experience building a cybersecurity program, what he got right, what he would do differently, and why being a CISO is hard.
Alan is the former CISO for two Fortune 500 companies, Alcoa and Arconic, with over 35 years of experience leading global cybersecurity programs. He is also a founding board instructor at the Carnegie Mellon CISO program where he lectures to current and rising CISOs on stories from the trenches.
In this episode:
00:00 — Welcome
01:26 — Introductions
01:29 — Surprises When Building A Cybersecurity Program
03:22 — Dealing With An Audit As A New CISO
04:47 — No Credit For Successes, Credit For Failure
06:05 — Making Friends And Allies
07:56 — Effective Actions And Controls
10:04 — User Awareness and BYOD
13:10 — Building Trust With Your Users
15:53 — The Most Misunderstood Part Of Being A CISO
19:50 — Sign Off
Alan Levine:
LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a
CISO Street — https://www.cisostreet.com/alan-levine/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/004-being-a-ciso-is-hard-with-alan-levine
In this week's episode Dr. Crane speaks to Joe Robinson about why he thinks CISOs should report to the CIO, and design considerations for organizational structure. The discussion covers topics such as who is responsible for vulnerability management and building trust as a CISO.
Joe is the founder and CEO of High Peaks Solutions, a cybersecurity venture focused on helping clients develop real insights and enhance their security programs to prepare for the ever-growing number of cybersecurity threats.
He also previously was the executive vice president and director of information, technology, and operations for Fifth Third Bank where he led the information technology, cybersecurity, data management, and bank operations divisions.
In this episode:
00:00 — Intro
02:03 — Should The CISO Be Under The CIO
03:21 — The First And Second Line
04:29 — The Role Of CISO In The First And Second Lines
05:56 — Organization Of Security Leaders Along Lines
07:29 — What Works And What Doesn't When Organizing Along First And Second Lines
09:16 — Ownership Of Responsibilities And Resources
10:58 — Communication And Relationships Between CISOs and Technology Teams
13:21 — Reporting To A Board Of Directors
15:30 — Building A Program For Reporting To The Board
16:26 — What Works In Building Trust As A CISO
18:27 — Common Mistakes In Building Trust And Relationships
19:17 — Getting From "No" To "Yes And Here's How"
21:28 — Sign Off
Joe Robinson:
High Peaks Solutions — https://highpeakssolutions.com/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/003-the-view-from-the-cio-with-joe-robinson
In this week's episode Dr. Crane speaks with Mark Morrison about understanding and communicating with business units when implementing a security program, and managing a workforce in the face of shortages.
Mark is the senior vice president and chief security officer at the Options Clearing Corporation. Previously, Mark was the chief information security officer with State Street Bank. Mark has had a long and distinguished career in the Defense Department and intelligence community serving in multiple cybersecurity leadership roles.
In this episode:
01:32 — Introductions
01:36 — What Works In Driving Security Initiatives?
03:08 — Successes In Resiliency And Being Proactive
04:12 — Organizations Falling Behind On Being Proactive
04:50 — Challenges In Understanding Critical Business Processes And Elements
07:03 — Determining Return On Investment Of Security
08:08 — Communication With Business Units When Implementing New Controls?
08:41 — Overreach In Security Affecting Business Processes
10:13 — Resiliency And Planning For Attacks
13:00 — Cybersecurity Workforce Shortage
15:10 — How Do You Ensure Your Cybersecurity Program Is Adequately Staffed?
16:32 — Successes In Cybersecurity Drawing Workforce From Military
17:42 — Sign Off
Mark Morrison:
The OCC — https://www.theocc.com/Company-Information/Executives/Mark-Morrison
Links in this episode:
US Cyber Command — https://www.cybercom.mil/
The SEI — https://sei.cmu.edu/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/002-establishing-your-cyber-program-with-mark-morrison
In this week's episode Dr. Crane talks to Tim Brown, the CISO of SolarWinds about the Sunburst malware intrusion, how it affected him and his company, the changes he made, and how Tim stayed on as CISO after the intrusion.
SolarWinds shot to national prominence due to the Sunburst malware intrusion, first discovered by FireEye in 2020.
This incident resulted in the first stand-up of a cyber unified coordination group, with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence, to coordinate a whole of government response to this incident.
The Atlantic council said that Sunburst was a significant moment for cloud computing security and the attack raised concerns about the existing threat model that major cloud service providers use. Now imagine being the cybersecurity leader at the organization identified in this intrusion that affected thousands of customers.
That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory.
In this episode:
00:00 — Highlight Clip
02:07 — Introductions
02:54 — Sunburst Incident Overview
05:55 — Difficulties Of Handling An Incident During The Holidays
07:05 — How Tim Stayed As CISO
09:06 — Pivoting From Internal To External Facing CISO
11:16 — Organization Reporting Obligations
12:58 — Finding Help For A Large Incident
14:16 — Reaching Out To National Defenders
15:56 — Cooperating With CISA For Messaging
16:47 — Lessons And Improvements Going Forward
18:58 — Validating A Digital Supply Chain
20:55 — Assume Breach Before And After
21:24 — Sign Off
Tim Brown:
Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/
LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/
Links in this episode:
SolarWinds RSA Presentation — https://www.youtube.com/watch?v=7DHb1gzF5o4
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Heinz College:
https://www.facebook.com/heinzcollege
https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/
Carnegie Mellon:
https://www.linkedin.com/school/carnegie-mellon-university
https://www.facebook.com/carnegiemellonu
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/001-tim-brown-on-sunburst
In this teaser episode Dr Earl Crane talks to Tim Brown, CISO of SolarWinds about the recent Sunburst malware intrusion and the security-by-design philosophy.
SolarWinds, shot to national prominence due to the Sunburst malware intrusion. It resulted in a coordinated whole of government response to this significant cybersecurity incident.
As stated by CISA, an advanced persistent threat actor was responsible for compromising the SolarWinds Orion supply chain as well as widespread abuse of commonly used authentication mechanisms. Throughout the attack, the Sunburst intruders maintained significantly high levels of operational security to avoid discovery. The Sunburst malware landed in its prospective targets and waited patiently for two weeks before initiating any activity.
Now imagine being the cybersecurity leader at the organization identified by name in this intrusion that affected thousands of customers. That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory.
