Identity Deep Dive with Shawn Lawson, Head of IT at Silicon Valley Bank

Shawn Lawson, head of IT at Silicon Valley Bank, has led a fascinating career in enterprise technology, including systems administration, networking, cyber security, and project management. His interest in information security began just before the big rise in eCommerce and before most of today’s industry and government data regulations.

That’s why we thought it would be a great idea to discuss his career, how he came to his current position at Silicon Valley Bank and the relationship between good security and regulatory compliance.

Thank you for taking the time to speak with us, Shawn. Could you share with us a little about your career and your path to your current position Silicon Valley Bank?

Since my start in IT, I have worked in various IT roles and enjoyed them all immensely. But I realized I wanted to learn more and expand my knowledge and expertise to new areas. I took a number of IT integrator positions and gained a lot of network and security consulting experience. After that, I went to work for UBS as a security analyst on its trading floor in Connecticut.

That was my starting point with security. That was back in the mid-1990s, and it was within this timeframe that I became interested in security. I could see a bigger demand for security on the way. The Internet was growing more popular with businesses and the population. I realized then that, if businesses were going to succeed on the Internet, people were going to have to feel secure. That meant security was going to be a critical part of it all.

Shortly after that, I earned my CISSP (Certified Information Systems Security Professional). I continued with additional security and technology certifications and consulted for UBS, Swiss bank, and other financial services. Shortly thereafter, I went to work, as a sales engineer, for a small product company that specialized in identity management.

That was a fascinating time in information security and identity management.

This was a period with incredible action in the industry. In the early 2000s, security was starting to quickly grow. After my time working at the identity vendor, I went to work for a security value-added reseller. There, I performed a lot of security consulting on just about every security product under the sun. We worked network security, endpoint security, data security, whatever kind of security. I also worked with security vendors, both in product design and helping them to understand how to solve some of the problems they faced. After doing that work for a while, I joined Cisco doing similar work but with a focus on networking and security.

After Cisco, in 2010, I joined Silicon Valley Bank as a networking and security analyst and engineer. Cisco was growing within the security field, and it started to expand the team. I was promoted to security architect and then cybersecurity director. That group focused on building the components of a cybersecurity program, such as the policies and standards that would drive the program forward.

As director, I consolidated all of the various security operations within a single security operations center. This also included practices such as incident response and computer forensics. During this time, I also built a separate application security team. We went from a small cybersecurity organization of four to 20 staff members in a relatively short period of time. Shortly thereafter, I was asked to help run IT engineering operations.

And so, after having built out a high-performing, effective cybersecurity organization, I then entered my current role as the head of IT Infrastructure.

During your talk at Navigate ’19, you spoke about the relationship between achieving regulatory compliance through effective security. How do organizations achieve that balance?

I think it’s all in the approach. If you’re doing the right things when it comes to security, the compliance aspect will fall into place. Focus on what actually delivers good security, then the rest is just going to happen all on its own. This is because, when you are implementing effective security, you are already going to check all of the boxes they are going to ask you to check. And because you focused on good security practices, you actually are reducing your risks and meeting your regulatory requirements, so it’s a win-win.

Many think it’s just a matter of going through the motions: Install a firewall, flip that switch, and check the box.

The reality is that regulatory requirements are meant to be a minimum requirement – not the end goal. Sometimes regulatory mandates are static. As a result, they become stale, and they therefore don’t provide good security. And so, if you think that, just because you meet your regulatory requirements that you’ve got good security, you’re wrong. It doesn’t.

What you have reached is a minimum baseline that makes sure you’re not completely incompetent. But it’s not going to give you good security. If you build good security in your environment, however, you are naturally going to address all of your compliance requirements, too.

I have this same conversation with our regulators and others, and I show them that we’re not a checkbox shop. We do this work because we really want excellent security, and the regulators love it.

# # #