Q&A with Nick Shevelyov, Chief Technology & Risk Strategist at Silicon Valley Bank
Security and privacy have always been important to Nick Shevelyov. One of his earliest memories as a boy was having to walk to the sink and run the water faucet as a way to confound any surveillance bugs within their Moscow apartment. He carried those childhood memories into his cybersecurity career.
After 14 years as Chief Security Officer at Silicon Valley Bank (taking 1.5 years as Chief Information Officer during that tenure), Nick is shifting into a senior advisory role at the bank as he explores what his next adventure will be. Nick is also a guest speaker at tech and security industry events and holds an undergraduate degree in economics and an executive MBA. Nick recently completed his book, Cyber War … and Peace: Building Digital Trust Today with History as Our Guide. The book combines storytelling, Nick’s childhood, and contrasts historical military conflicts and other historical incidents with today’s cybersecurity challenges. Proceeds from book sales will be donated to NextGen Cyber Talent, a charity Nick is passionate about. NextGen Cyber Talent’s mission is to educate underprivileged, underserved talent and to increase diversity in the cybersecurity space.
In this interview, we discuss Nick’s book, his technology and security career, and his thoughts on identity management.
Thank you for joining us, Nick. How did you get started in technology, specifically cybersecurity?
I’ll start with something I talked about in my book. I’m ethnically Russian, born in the United States. But in the early 70s, during the Cold War, the US wasn’t a friendly place for ethnic Russians. So, my family and I moved back to the Soviet Union, and my dad worked for the State Department. But as a former Marine working for the State Department, we were viewed as spies.
I spent formative years living in an apartment in Moscow that was bugged. I learned at an early age that if you have something important to say, you signal to someone, and then you go over to a kitchen sink or a bathroom sink. You run the water to talk because that disrupted the efficacy of bugs listening to your conversations. This provided me with an understanding, at an early age, that your privacy can be violated at any time. Eventually, my dad was taken away by the KGB and interrogated for publishing an accurate map of Moscow. We left the Soviet Union.
Fast forward to my later years as a kid, and I was the kid who set up computer networks for the local neighborhood households. Later, I attained my undergraduate degree in economics. My first job out of college was at an enterprise that provided real-time financial data. At that job, I would volunteer for any project I could get my hands on. I ended up building their first corporate intranet.
Can you share your experience and some of the nuances of holding both CIO and CSO roles?
Interestingly, the legacy view of things is that the CIO and the CSO might not get along as they have different goals. And then, as you grow, you probably shouldn’t have security reporting to the CIO because the CIO wants availability and enablement. And in some cases, there’s friction between the two.
For me, I have a technology background. I felt comfortable in the CIO role. It did help me build empathy for the CIO. The CIO is under pressure to deliver digital transformation, availability, and scalability. Sometimes there are friction points, and how do you balance the two? And I think for me, personally, it made me a more well-rounded technology business leader to think through the trade-offs of what we want to deliver for digital transformation and enablement and how we defend that technology.
I adopted an 80/20 rule. That rule states that approximately 80% of our budget ought to be spent on digital development and enablement, while, depending on the situation, roughly 20% ought to be spent on protecting it.
I find it fascinating how 20 years ago, the security officer’s role was technically focused. It was often viewed as being detached from the business. Fortunately, the way modern security programs are run, it’s governed as an integral part of the business.
You have to think holistically. You’re a business. You need to deliver outcomes. You’re enabling your clients now, and the world is changing quickly. It’s a good idea to solve these challenges by coming at them backward.
How do you enable your clients while securing their and your data? How do you invest appropriately? It’s always a balancing act with trade-offs.
There are three lines of defense at SVB. I’m the first-line operator, and everything I do is scrutinized by our second line of defense, our risk assessors. And then there’s the third line of internal auditors. And then there’s the fourth line, the external line of Federal Reserve Bank examiners and state regulators.
While there’s all this regulatory scrutiny in the financial space, many organizations benefit by looking at their defense this way. How do you develop your lines of defense? What about the maturity of the different programs that you’re trying to manage?
That’s fantastic. How does identity management or identity security fit into the modern security efforts that you describe?
I think it has to be at the forefront. You have to acknowledge the layers of defense that are in place today: your firewalls, your proxies, your antivirus, your vulnerability management. It’s all in place. But how do you have the processes in place to manage your identity for your joiners, movers, and leavers? And how do you tie that into identity proofing, which proves you are who you say you are. Then there is identity affirmation, the process in which identity is reinforced, and identity verification is done in conjunction with the transaction.
These are all part of identity proofing and affirmation verification. And something all organizations have to think about today is zero trust access control, as well as multi-factor authentication. With zero trust, as you log in, your system is run through a security health check, and then the identity management software kicks in and makes sure that only the right people have the right access to the right resources at the right time.
If you have that capability tied with roles, that refines what people can access even further. And then, you need to verify that you have the right credentials perpetually. If you walk into a building today and you pass through security with a badge, if you’re allowed to wander to different rooms, the integrity of your physical security may be at risk. That’s similar to how we should be thinking about your digital access and your digital rights. Everyone is allowed in for a specific time while they’re validated. And based on their job roles, they can only access certain aspects of the environment.
Those are some of the concepts that organizations need to be thinking about when it comes to identity.
What are your thoughts on how AI can potentially help enterprises more successfully meet their broad cybersecurity challenges?
The classic definition of artificial intelligence was whether or not you could pass the Turing test. Today, we’ve kind of passed that test, but I think it’s now become an umbrella term. And for me, for the last ten-plus years, AI and machine learning have been showing a return on investment in identifying fraud. And its pattern recognition. The same capabilities with AI are now happening in extended endpoint detection and remediation.
Such algorithms are essential to scaling capabilities. We’re at an exciting point in history. Historically, intelligence was tied to consciousness. We are human beings, carbon-based life forms, and we have intelligence. But as we develop more intelligent and smarter algorithms, we are decoupling intelligence from consciousness for the first time. Because intelligence, machine learning, and our big data have no consciousness.
How do we use that to get good business outcomes, good risk outcomes? You have to invest in it. There’s a lot of leaders in this space. And you need to use intelligent algorithms to scale your organization and have a process in place where the human oversees the loop and is validating that the outcomes you’re looking for are occurring.
Where did you get the idea for your book?
I decided that I would take some feedback I’ve gathered throughout my career and go through a process of introspection: what do I believe? Why do I believe it? What’s important to me? How do I want to manage teams? What kind of a leader do I want to be? I want to be a servant leader. I want to build leaders. I want to develop leaders who develop other leaders. What are my earliest memories? And why are they important to me?
During this contemplation, I kept coming back to my father’s story before we emigrated back to the Soviet Union. The story was about a Spartan boy who caught a fox. To learn more about the story, you’ll have to read the book. But that story left an impression on me. I kept asking myself: why has this story, the earliest story that I remember, left such an impression on me, and how can I remember it so clearly? That’s when the power of storytelling started to resonate with me. I began to introduce it in public speaking engagements, where I would give speeches and keynotes at seminars or conferences. And I began to take the power of storytelling and connecting it with lessons from history using logical thinking and applying it to how one should think about cybersecurity management.
People liked it. At the end of these keynotes, people would come up and say, you should write a book on this. This happened for years and years. I just didn’t have the time. But when the lockdown occurred, I decided that I would take what I’ve been talking about and write a book about it. That’s precisely what I did. Cyberwar and Peace: Building Digital Trust Today with History as Our Guide takes lessons from history, tells a story, and then ties it to a security principle. And I reference the NIST critical security controls and MITRE in the book.
It’s not a technical book. It’s written for a business leader who’s reading the Wall Street Journal and is about to get on a flight from SFO to New York and wants to read about cybersecurity because it’s becoming more and more relevant to their business.
The book’s theme takes a Roman quote: Si vis pacem, para bellum, or “If you want peace, prepare for war.” And then it marches through history, with lessons organized chronologically. And then, each chronological lesson refers to a NIST key control. The next chapter talks about the 300 Spartans that defended Greece against a million-man Persian army. How did 300 people defend against the million-man Persian army? They managed their attack surface, they took a position at the hot gates at the Thermopylae, and they were able to force the attacker to channel their attack into that manageable attack surface.
And this translates directly back to how you think about architecture—having choke points on a network, making sure that you’re channeling traffic to places that you can monitor and defend.
I understand all the proceeds from your book will go to charity. Can you tell us about the charity you’ve chosen and why you picked it?
Yes, all proceeds from the book will be donated to charity, specifically to NextGen Cyber Talent.
NextGen Cyber Talent’s mission is to educate underprivileged, underserved talent and increase diversity in cybersecurity. I have talked about the fact that there’s three and one-half million unfilled cybersecurity jobs. When I was a poor kid, I would have appreciated someone helping me. And so, hopefully, the profits from this book will help NextGen Cyber Talent students and professionals get a leg up in life. It will help underserved talent to get educated and land a better job while also helping the cybersecurity community. That’s a win for everyone.
I hope the book will help business leaders reach a better understanding of technology risk. At the same time, it also provides security leaders with a reference they can use to leverage the power of analogy and to tell a story that can lead to better security outcomes.