Mar 20, 2023
Nick Shevelyoff is a cybersecurity expert who recently left his role as Chief Information Security Officer at Silicon Valley Bank to pursue consulting services.
In the mid-1990s, Nick Shevelyov began his career in technology. He soon became interested in cybersecurity and went on to work for a boutique security consulting firm. Shevelyoff later spent years working in Enterprise Risk Services at Deloitte, specializing in cybersecurity and data privacy. In 2005, he joined Silicon Valley Bank as the chief security and chief privacy officer. During his 15-year tenure at the bank, Shevelyoff became CIO and then chief information security officer. Throughout his career, he has been interested in understanding cyber risk from a holistic perspective.
The Book on Cyber War and Peace
Nick discusses his new book, Cyber War and Peace, which explores how organizations can learn from lessons from history and behavioral science to improve their cybersecurity posture.
In his book, Nick covers a wide range of topics related to cybersecurity, from the history of technology to the importance of risk management. He highlights how ancient civilizations such as Babylon and Rome dealt with technological challenges and draws parallels to modern cybersecurity concerns. He also emphasizes the importance of knowing oneself in order to effectively defend against cyber attacks.
Nick enjoys reading about ancient Greece, Rome, and the Napoleonic Wars, among other periods. He draws upon lessons from these periods in his book, specifically around the importance of practice and preparation.
To get a sense of a company's current level of preparedness, Nick recommends asking questions about the company's existing investment, business outcomes, and risks. He also suggests using a framework like the National Institute of Standards and Technology critical security framework to measure the organization against that framework and understand where the gaps are.
Executive Planning for Investments and Technology
The need for business executives to properly plan ahead when considering investments and technology cannot be overemphasized, and Nick suggests that it is important to understand the existing conditions, the age of the company, the outcomes they are looking for, the risks they may face, and the value of the data they have. He recommends a Z-shaped relationship to connect the goals to the risks, and to understand the unique risks facing the organization. Nick also suggests that it is important to consider the volume, variability, and veracity of the data, and the layers of control that can be used to manage the uncertainty.
Bespoke Security Models for Organizations
Nick and Will discussed the process of creating a bespoke security model for an organization. Nick suggested using a commonly accepted framework, such as the National Institute of Standards and Technology Critical Security Framework, to measure the organization against and identify gaps. Additionally, Nick suggested considering the Mitre Attack Framework to assess how an organization is susceptible to different types of attacks and the OWASP Top 20 to identify any potential application vulnerabilities. To further understand the current security state, Nick suggested conducting vulnerability scans, penetration testing, and application security assessments.
He also talks about leveraging tactical conformance checks to assess an organization's cyber health. Nick provided insight into the criminal business world of hackers today, which is an industry run by criminals who attack organizations, steal data, and sell it on the dark web. This hacking as a service has become operationalized and victims of ransomware attacks, where malware is deployed on networks and locks up their systems, are all too common.
He discussed the ongoing cyber war, where foreign governments are encouraging and supporting hacking of US and Western companies. He also mentioned that cyber risk is a reflection of geopolitical risk, and that organizations should always be investing in the right risk posture. Nick is now offering consulting services to help innovators and entrepreneurs all over the world improve their probability of success. He is also working as a fractional Chief Information Security Officer.
09:58- Exploring Risk Management Strategies for Business Executives
12:16- Exploring a Bespoke Security Model for Organizations
14:00- CYBER HEALTH: Leveraging Tactical Conformance Checks to Assess Organizational Risk in the Criminal Business World
17:06- Cybersecurity and Cyber Risk
22:22- Fractional CFO and CISO Services
27:13- Developing a Security Program for Organizations
30:17- DevSecOps and Risk Management
Unleashed is produced by Umbrex, which has a mission of connecting independent management consultants with one another, creating opportunities for members to meet, build relationships, and share lessons learned. Learn more at www.umbrex.com.