In this week's episode Dr. Crane speaks with Nick Shevelyov, former chief security officer of Silicon Valley Bank and author of Cyber War and Peace, about staying true to your values and applying the principles of Stoicism, wisdom, justice, courage and moderation, in the context of information security leadership.

Nick is wrapping up over a 14-year rise at Silicon Valley Bank. As the security leader, banking the world's most innovative companies, SVB provides diverse financial services, global network and world-class service with over $150 billion in total assets, and more than 3,500 employees.

Nick also recently released a new book that artfully combines the philosophy of stoicism and information security in Cyber War... and Peace. Today, I'm talking with Nick about how he meets the challenges of the demanding customer base and how he uses the concepts of stoicism to help him serve and protect his customers.

In this episode:

00:00 — Welcome

02:24 — Introductions

02:28 — Cyber War And Peace

03:34 — How To Apply The Values Of Stoicism To Cybersecurity

06:42 — How To Apply Courage While In The Role Of CISO

08:53 — Applying Wisdom In Cybersecurity

10:51 — Applying Justice In Cybersecurity

12:00 — Knowing Yourself And Asset Inventory

15:40 — What Values Are Important For A New CISO

17:36 — Sign Off

Nick Shevelyov:

Website — https://www.nickshevelyov.com/

Cyber War... And Peace — https://www.nickshevelyov.com/the-book

Links in this episode:

The Happiness Advantage — https://www.shawnachor.com/books/happiness-advantage/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/010-the-stoic-ciso-with-nick-shevelyov

In this week's episode Dr. Crane talks to Mike Wilkes, formerly the CISO at Marvel Comics, about keeping Iron Man safe and digital media security.

Mike is the chief information security officer at Security Scorecard, the global leader in cybersecurity ratings, and the only service with over a million companies continuously rated. Previously he was the CISO at the American society of composers authors and publishers or ASCAP and Marvel entertainment. 

He has built transformed and protected companies such as AQR capital, CME Group, Sony, Macy's as well as other European banks and airlines, a graduate of Stanford University and author of a book for Cisco Press in 2002. He's a featured speaker at technology conferences and is a professor at NYU teaching cybersecurity courses. He's also on the board of trustees for the national jazz museum in Harlem.

This episode was recorded when Mike was the CISO at Security Scorecard, he has since moved on from  this position.

In this episode:

00:00 — Welcome

02:00 — Introductions

02:21 — Data Classification

03:50 — Document Management

05:21 — Marvel Security

06:38 — What Does Marvel Excel At In Information Security

07:55 — Tribal Knowledge For A New CISO

09:29 — Heraclitus

10:23 — Hackers

11:18 — Hacking Story

13:17 — Lessons For CISOs On Hacking And Experimenting

14:40 — Advice For New CISOs Starting a Team

18:52 — Tips For Companies Looking To Improve Security

22:24 — Sign Off

Mike Wilkes:

LinkedIn — https://www.linkedin.com/in/eclectiqus

Links in this episode:

The Security Chaos Engineering Book — https://www.kellyshortridge.com/book.html

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/009-keeping-iron-man-safe-with-mike-wilkes

In this week's episode Dr. Crane talks to Yiannis Pavlosoglou about Resilient Systems.

From supply chain shortages to natural disruptions from changing weather patterns, it seems everything today needs to operate while under some type of duress or attack. But what do CISOs need to know to create resilient systems? And what can we learn from other CISOs who've already gone down this path? 

NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. That's a mouthful, but what does it actually mean to have to build a resilient cyber program to drive the change management necessary to build that type of program, to put in place the governance processes and procedures necessary.

To discuss this and more, who better to talk with cyber resiliency and governance than Yiannis Pavlosoglou. Currently, the Founder and CEO at Kiberna, and most recently, the CISO for UBS in the UK. 

In this episode:

00:00 — Welcome

02:42 — Introductions

03:35 — What Is Resilience?

04:08 — What Works?

05:37 — CISO as a Change Agent for Resiliency

07:07 — Challenges Driving A Resilient Organization Forward

08:47 — Where To Look To Build Resiliency

11:01 — Challenges To Building Resiliency

12:20 — The Role Of The CISO In Leading Cyber Resiliency

16:11 — Tools For Building Resiliency

18:29 — What To Do Once You Have A Set Of Risks To Tackle

19:45 — References

21:14 — Sign Off

Yiannis Pavlosoglou:

LinkedIn — https://uk.linkedin.com/in/yiannisp

Kiberna — https://www.kiberna.com

Links in this episode:

Operation Resilience for UK Financial Bodies — https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper

FCA on Building Operation Resilience — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience

CERT Resilience Management Model — https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30375

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/008-resilient-systems-with-yiannis-pavlosoglou

In this week's episode, CISOWise guests such as Mike Wilkes, former CISO for Marvel, Nick Shevelyov, former Chief Security Officer for Silicon Valley Bank, and Tim Brown, CISO of SolarWinds, talk about failure, culture and keeping your sanity in cybersecurity.

In this episode

00:00 — Welcome

02:35 — Alan Levine On His Single Biggest Technology Failure

05:41 — Tim Brown On Advice For CISOs Potentially Facing A Large Incident

07:17 — Yiannis Pavlosoglou On Shortcomings Of No Resilience

09:55 — Mike Wilkes On Having A Social Contract With Your Team

11:12 — Brandon Hines On Example Of A New CISO Misaligned With The Organization

13:52 — Mike Wilkes On How Has Marvel Maintained Security Standards For So Long?

15:30 — Nick Shevelyov On Advice To A New CISO Dealing With Greater Responsibilities

17:26 — Brent Maher On What Works In Engaging Business Units With Strategy

19:13 — Joe Robinson On Not Taking Business Decisions Personally

20:11 — Outro

Alan Levine:

LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a

CISO Street — https://www.cisostreet.com/alan-levine/

Tim Brown:

Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/

LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/

Yiannis Pavlosoglou:

LinkedIn — https://uk.linkedin.com/in/yiannisp

Kiberna — https://www.kiberna.com

Mike Wilkes:

LinkedIn — https://www.linkedin.com/in/eclectiqus

Brandon Hines:

LinkedIn — https://www.linkedin.com/in/brandonjhines

Nick Shevelyov:

Website — https://www.nickshevelyov.com/

Cyber War... And Peace — https://www.nickshevelyov.com/the-book

Brent Maher:

LinkedIn — https://www.linkedin.com/in/ciso-brentmaher

Joe Robinson:

High Peaks Solutions — https://highpeakssolutions.com/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/007-failure-culture-and-keeping-your-sanity-in-cybersecurity

In this week's episode Dr. Crane talks to Brandon Hines about building your cybersecurity team and culture, from your first to your hundredth hire.

Brandon Hines, the vice president of security at Dimensional Fund Advisors, has spent over 14 years establishing and growing a cybersecurity program and continues as a senior leader. Brandon has deep experience in hiring and then managing an effective cybersecurity team.

In this episode:

00:00 — Welcome

01:33 — Your First Hire

02:53 — Brandon's Method for Hiring

04:27 — Mistakes And Red Flags In Hiring

05:28 — The Importance Of Training

08:25 — Gaining Insights From Business Units

10:38 — Assessments

11:58 — Weighing Consistency In Assessments With Diversity Of Assessments

12:52 — The Value Of A Security Framework In Maintaining Consistent Assessments

14:08 — What To Look For When Hiring A Third Party For Assessments

16:24 — Dangers Of A “Brittle” Third Party Assessment

19:03 — Sign Off

Brandon Hines:

LinkedIn — https://www.linkedin.com/in/brandonjhines

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/006-your-first-100-hires-with-brandon-hines

In this week's episode Dr Crane talks to Brent Maher, former CISO Johnson Financial Group, about the human element of phishing and communicating value to stakeholders. 

This episode was recorded when Brent was CISO of Johnson Financial Group. He is now the Chief Technology Officer.

In this episode:

00:00 — Welcome

01:14 — Introductions

01:18 — What Works? What Doesn't?

02:28 — Successes In Mitigating Phishing

03:41 — The Human Element Of A Phishing Program

06:20 — Getting Approval For A Phishing Program From Executives

08:32 — Challenges In Implementing A Phishing Program

11:24 — Sign Off

Brent Maher:

LinkedIn — https://www.linkedin.com/in/ciso-brentmaher

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/005-developing-a-phishing-awareness-program-with-brent-maher

In this week's episode Dr. Crane talks to Alan Levine about his experience building a cybersecurity program, what he got right, what he would do differently, and why being a CISO is hard.

Alan is the former CISO for two Fortune 500 companies, Alcoa and Arconic, with over 35 years of experience leading global cybersecurity programs.  He is also a founding board instructor at the Carnegie Mellon CISO program where he lectures to current and rising CISOs on stories from the trenches.

In this episode:

00:00 — Welcome

01:26 — Introductions

01:29 — Surprises When Building A Cybersecurity Program

03:22 — Dealing With An Audit As A New CISO

04:47 — No Credit For Successes, Credit For Failure

06:05 — Making Friends And Allies

07:56 — Effective Actions And Controls

10:04 — User Awareness and BYOD

13:10 — Building Trust With Your Users

15:53 — The Most Misunderstood Part Of Being A CISO

19:50 — Sign Off

Alan Levine:

LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a

CISO Street — https://www.cisostreet.com/alan-levine/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/004-being-a-ciso-is-hard-with-alan-levine

In this week's episode Dr. Crane speaks to Joe Robinson about why he thinks CISOs should report to the CIO, and design considerations for organizational structure. The discussion covers topics such as who is responsible for vulnerability management and building trust as a CISO.

Joe is the founder and CEO of High Peaks Solutions, a cybersecurity venture focused on helping clients develop real insights and enhance their security programs to prepare for the ever-growing number of cybersecurity threats.

He also previously was the executive vice president and director of information, technology, and operations for Fifth Third Bank where he led the information technology, cybersecurity, data management, and bank operations divisions.

In this episode:

00:00 — Intro

02:03 — Should The CISO Be Under The CIO

03:21 — The First And Second Line

04:29 — The Role Of CISO In The First And Second Lines

05:56 — Organization Of Security Leaders Along Lines

07:29 — What Works And What Doesn't When Organizing Along First And Second Lines

09:16 — Ownership Of Responsibilities And Resources

10:58 — Communication And Relationships Between CISOs and Technology Teams

13:21 — Reporting To A Board Of Directors

15:30 — Building A Program For Reporting To The Board

16:26 — What Works In Building Trust As A CISO

18:27 — Common Mistakes In Building Trust And Relationships

19:17 — Getting From "No" To "Yes And Here's How"

21:28 — Sign Off

Joe Robinson:

High Peaks Solutions — https://highpeakssolutions.com/

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Heinz College:

https://www.facebook.com/heinzcollege

https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/

Carnegie Mellon:

https://www.linkedin.com/school/carnegie-mellon-university

https://www.facebook.com/carnegiemellonu

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/003-the-view-from-the-cio-with-joe-robinson