CISOWise

In this week's episode Dr. Crane speaks with Nick Shevelyov, former chief security officer of Silicon Valley Bank and author of Cyber War and Peace, about staying true to your values and applying the principles of Stoicism, wisdom, justice, courage and moderation, in the context of information security leadership. Nick is wrapping up over a 14-year rise at Silicon Valley Bank. As the security leader, banking the world's most innovative companies, SVB provides diverse financial services, global network and world-class service with over $150 billion in total assets, and more than 3,500 employees. Nick also recently released a new book that artfully combines the philosophy of stoicism and information security in Cyber War... and Peace. Today, I'm talking with Nick about how he meets the challenges of the demanding customer base and how he uses the concepts of stoicism to help him serve and protect his customers. In this episode: 00:00 — Welcome 02:24 — Introductions 02:28 — Cyber War And Peace 03:34 — How To Apply The Values Of Stoicism To Cybersecurity 06:42 — How To Apply Courage While In The Role Of CISO 08:53 — Applying Wisdom In Cybersecurity 10:51 — Applying Justice In Cybersecurity 12:00 — Knowing Yourself And Asset Inventory 15:40 — What Values Are Important For A New CISO 17:36 — Sign Off Nick Shevelyov: Website — https://www.nickshevelyov.com/ Cyber War... And Peace — https://www.nickshevelyov.com/the-book Links in this episode: The Happiness Advantage — https://www.shawnachor.com/books/happiness-advantage/ Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/010-the-stoic-ciso-with-nick-shevelyov

In this week's episode Dr. Crane talks to Mike Wilkes, formerly the CISO at Marvel Comics, about keeping Iron Man safe and digital media security. Mike is the chief information security officer at Security Scorecard, the global leader in cybersecurity ratings, and the only service with over a million companies continuously rated. Previously he was the CISO at the American society of composers authors and publishers or ASCAP and Marvel entertainment. He has built transformed and protected companies such as AQR capital, CME Group, Sony, Macy's as well as other European banks and airlines, a graduate of Stanford University and author of a book for Cisco Press in 2002. He's a featured speaker at technology conferences and is a professor at NYU teaching cybersecurity courses. He's also on the board of trustees for the national jazz museum in Harlem. This episode was recorded when Mike was the CISO at Security Scorecard, he has since moved on from this position. In this episode: 00:00 — Welcome 02:00 — Introductions 02:21 — Data Classification 03:50 — Document Management 05:21 — Marvel Security 06:38 — What Does Marvel Excel At In Information Security 07:55 — Tribal Knowledge For A New CISO 09:29 — Heraclitus 10:23 — Hackers 11:18 — Hacking Story 13:17 — Lessons For CISOs On Hacking And Experimenting 14:40 — Advice For New CISOs Starting a Team 18:52 — Tips For Companies Looking To Improve Security 22:24 — Sign Off Mike Wilkes: LinkedIn — https://www.linkedin.com/in/eclectiqus Links in this episode: The Security Chaos Engineering Book — https://www.kellyshortridge.com/book.html Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/009-keeping-iron-man-safe-with-mike-wilkes

In this week's episode Dr. Crane talks to Yiannis Pavlosoglou about Resilient Systems. From supply chain shortages to natural disruptions from changing weather patterns, it seems everything today needs to operate while under some type of duress or attack. But what do CISOs need to know to create resilient systems? And what can we learn from other CISOs who've already gone down this path? NIST defines cyber resiliency as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. That's a mouthful, but what does it actually mean to have to build a resilient cyber program to drive the change management necessary to build that type of program, to put in place the governance processes and procedures necessary. To discuss this and more, who better to talk with cyber resiliency and governance than Yiannis Pavlosoglou. Currently, the Founder and CEO at Kiberna, and most recently, the CISO for UBS in the UK. In this episode: 00:00 — Welcome 02:42 — Introductions 03:35 — What Is Resilience? 04:08 — What Works? 05:37 — CISO as a Change Agent for Resiliency 07:07 — Challenges Driving A Resilient Organization Forward 08:47 — Where To Look To Build Resiliency 11:01 — Challenges To Building Resiliency 12:20 — The Role Of The CISO In Leading Cyber Resiliency 16:11 — Tools For Building Resiliency 18:29 — What To Do Once You Have A Set Of Risks To Tackle 19:45 — References 21:14 — Sign Off Yiannis Pavlosoglou: LinkedIn — https://uk.linkedin.com/in/yiannisp Kiberna — https://www.kiberna.com Links in this episode: Operation Resilience for UK Financial Bodies — https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper FCA on Building Operation Resilience — https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience CERT Resilience Management Model — https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30375 Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/008-resilient-systems-with-yiannis-pavlosoglou

In this week's episode, CISOWise guests such as Mike Wilkes, former CISO for Marvel, Nick Shevelyov, former Chief Security Officer for Silicon Valley Bank, and Tim Brown, CISO of SolarWinds, talk about failure, culture and keeping your sanity in cybersecurity. In this episode 00:00 — Welcome 02:35 — Alan Levine On His Single Biggest Technology Failure 05:41 — Tim Brown On Advice For CISOs Potentially Facing A Large Incident 07:17 — Yiannis Pavlosoglou On Shortcomings Of No Resilience 09:55 — Mike Wilkes On Having A Social Contract With Your Team 11:12 — Brandon Hines On Example Of A New CISO Misaligned With The Organization 13:52 — Mike Wilkes On How Has Marvel Maintained Security Standards For So Long? 15:30 — Nick Shevelyov On Advice To A New CISO Dealing With Greater Responsibilities 17:26 — Brent Maher On What Works In Engaging Business Units With Strategy 19:13 — Joe Robinson On Not Taking Business Decisions Personally 20:11 — Outro Alan Levine: LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a CISO Street — https://www.cisostreet.com/alan-levine/ Tim Brown: Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/ LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/ Yiannis Pavlosoglou: LinkedIn — https://uk.linkedin.com/in/yiannisp Kiberna — https://www.kiberna.com Mike Wilkes: LinkedIn — https://www.linkedin.com/in/eclectiqus Brandon Hines: LinkedIn — https://www.linkedin.com/in/brandonjhines Nick Shevelyov: Website — https://www.nickshevelyov.com/ Cyber War... And Peace — https://www.nickshevelyov.com/the-book Brent Maher: LinkedIn — https://www.linkedin.com/in/ciso-brentmaher Joe Robinson: High Peaks Solutions — https://highpeakssolutions.com/ Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/007-failure-culture-and-keeping-your-sanity-in-cybersecurity

In this week's episode Dr. Crane talks to Brandon Hines about building your cybersecurity team and culture, from your first to your hundredth hire. Brandon Hines, the vice president of security at Dimensional Fund Advisors, has spent over 14 years establishing and growing a cybersecurity program and continues as a senior leader. Brandon has deep experience in hiring and then managing an effective cybersecurity team. In this episode: 00:00 — Welcome 01:33 — Your First Hire 02:53 — Brandon's Method for Hiring 04:27 — Mistakes And Red Flags In Hiring 05:28 — The Importance Of Training 08:25 — Gaining Insights From Business Units 10:38 — Assessments 11:58 — Weighing Consistency In Assessments With Diversity Of Assessments 12:52 — The Value Of A Security Framework In Maintaining Consistent Assessments 14:08 — What To Look For When Hiring A Third Party For Assessments 16:24 — Dangers Of A “Brittle” Third Party Assessment 19:03 — Sign Off Brandon Hines: LinkedIn — https://www.linkedin.com/in/brandonjhines Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/006-your-first-100-hires-with-brandon-hines

In this week's episode Dr Crane talks to Brent Maher, former CISO Johnson Financial Group, about the human element of phishing and communicating value to stakeholders. This episode was recorded when Brent was CISO of Johnson Financial Group. He is now the Chief Technology Officer. In this episode: 00:00 — Welcome 01:14 — Introductions 01:18 — What Works? What Doesn't? 02:28 — Successes In Mitigating Phishing 03:41 — The Human Element Of A Phishing Program 06:20 — Getting Approval For A Phishing Program From Executives 08:32 — Challenges In Implementing A Phishing Program 11:24 — Sign Off Brent Maher: LinkedIn — https://www.linkedin.com/in/ciso-brentmaher Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/005-developing-a-phishing-awareness-program-with-brent-maher

In this week's episode Dr. Crane talks to Alan Levine about his experience building a cybersecurity program, what he got right, what he would do differently, and why being a CISO is hard. Alan is the former CISO for two Fortune 500 companies, Alcoa and Arconic, with over 35 years of experience leading global cybersecurity programs. He is also a founding board instructor at the Carnegie Mellon CISO program where he lectures to current and rising CISOs on stories from the trenches. In this episode: 00:00 — Welcome 01:26 — Introductions 01:29 — Surprises When Building A Cybersecurity Program 03:22 — Dealing With An Audit As A New CISO 04:47 — No Credit For Successes, Credit For Failure 06:05 — Making Friends And Allies 07:56 — Effective Actions And Controls 10:04 — User Awareness and BYOD 13:10 — Building Trust With Your Users 15:53 — The Most Misunderstood Part Of Being A CISO 19:50 — Sign Off Alan Levine: LinkedIn — https://www.linkedin.com/in/alan-levine-43a226a CISO Street — https://www.cisostreet.com/alan-levine/ Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/004-being-a-ciso-is-hard-with-alan-levine

In this week's episode Dr. Crane speaks to Joe Robinson about why he thinks CISOs should report to the CIO, and design considerations for organizational structure. The discussion covers topics such as who is responsible for vulnerability management and building trust as a CISO. Joe is the founder and CEO of High Peaks Solutions, a cybersecurity venture focused on helping clients develop real insights and enhance their security programs to prepare for the ever-growing number of cybersecurity threats. He also previously was the executive vice president and director of information, technology, and operations for Fifth Third Bank where he led the information technology, cybersecurity, data management, and bank operations divisions. In this episode: 00:00 — Intro 02:03 — Should The CISO Be Under The CIO 03:21 — The First And Second Line 04:29 — The Role Of CISO In The First And Second Lines 05:56 — Organization Of Security Leaders Along Lines 07:29 — What Works And What Doesn't When Organizing Along First And Second Lines 09:16 — Ownership Of Responsibilities And Resources 10:58 — Communication And Relationships Between CISOs and Technology Teams 13:21 — Reporting To A Board Of Directors 15:30 — Building A Program For Reporting To The Board 16:26 — What Works In Building Trust As A CISO 18:27 — Common Mistakes In Building Trust And Relationships 19:17 — Getting From "No" To "Yes And Here's How" 21:28 — Sign Off Joe Robinson: High Peaks Solutions — https://highpeakssolutions.com/ Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/003-the-view-from-the-cio-with-joe-robinson

In this week's episode Dr. Crane speaks with Mark Morrison about understanding and communicating with business units when implementing a security program, and managing a workforce in the face of shortages. Mark is the senior vice president and chief security officer at the Options Clearing Corporation. Previously, Mark was the chief information security officer with State Street Bank. Mark has had a long and distinguished career in the Defense Department and intelligence community serving in multiple cybersecurity leadership roles. In this episode: 01:32 — Introductions 01:36 — What Works In Driving Security Initiatives? 03:08 — Successes In Resiliency And Being Proactive 04:12 — Organizations Falling Behind On Being Proactive 04:50 — Challenges In Understanding Critical Business Processes And Elements 07:03 — Determining Return On Investment Of Security 08:08 — Communication With Business Units When Implementing New Controls? 08:41 — Overreach In Security Affecting Business Processes 10:13 — Resiliency And Planning For Attacks 13:00 — Cybersecurity Workforce Shortage 15:10 — How Do You Ensure Your Cybersecurity Program Is Adequately Staffed? 16:32 — Successes In Cybersecurity Drawing Workforce From Military 17:42 — Sign Off Mark Morrison: The OCC — https://www.theocc.com/Company-Information/Executives/Mark-Morrison Links in this episode: US Cyber Command — https://www.cybercom.mil/ The SEI — https://sei.cmu.edu/ Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/002-establishing-your-cyber-program-with-mark-morrison

In this week's episode Dr. Crane talks to Tim Brown, the CISO of SolarWinds about the Sunburst malware intrusion, how it affected him and his company, the changes he made, and how Tim stayed on as CISO after the intrusion. SolarWinds shot to national prominence due to the Sunburst malware intrusion, first discovered by FireEye in 2020. This incident resulted in the first stand-up of a cyber unified coordination group, with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence, to coordinate a whole of government response to this incident. The Atlantic council said that Sunburst was a significant moment for cloud computing security and the attack raised concerns about the existing threat model that major cloud service providers use. Now imagine being the cybersecurity leader at the organization identified in this intrusion that affected thousands of customers. That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory. In this episode: 00:00 — Highlight Clip 02:07 — Introductions 02:54 — Sunburst Incident Overview 05:55 — Difficulties Of Handling An Incident During The Holidays 07:05 — How Tim Stayed As CISO 09:06 — Pivoting From Internal To External Facing CISO 11:16 — Organization Reporting Obligations 12:58 — Finding Help For A Large Incident 14:16 — Reaching Out To National Defenders 15:56 — Cooperating With CISA For Messaging 16:47 — Lessons And Improvements Going Forward 18:58 — Validating A Digital Supply Chain 20:55 — Assume Breach Before And After 21:24 — Sign Off Tim Brown: Orange Matter — https://orangematter.solarwinds.com/author/tim-brown/ LinkedIn — https://www.linkedin.com/in/tim-brown-93639a1/ Links in this episode: SolarWinds RSA Presentation — https://www.youtube.com/watch?v=7DHb1gzF5o4 Thanks To Our Sponsors: Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate CISOWise vCISO — https://www.cisowise.com/ Heinz College: https://www.facebook.com/heinzcollege https://www.linkedin.com/school/carnegie-mellon-university---h.-john-heinz-iii-college/ Carnegie Mellon: https://www.linkedin.com/school/carnegie-mellon-university https://www.facebook.com/carnegiemellonu Follow CISOWise on all podcast apps. Website — https://www.cisowise.com/podcast Show Notes & Transcript — https://www.cisowise.com/podcast/001-tim-brown-on-sunburst

In this teaser episode Dr Earl Crane talks to Tim Brown, CISO of SolarWinds about the recent Sunburst malware intrusion and the security-by-design philosophy. SolarWinds, shot to national prominence due to the Sunburst malware intrusion. It resulted in a coordinated whole of government response to this significant cybersecurity incident. As stated by CISA, an advanced persistent threat actor was responsible for compromising the SolarWinds Orion supply chain as well as widespread abuse of commonly used authentication mechanisms. Throughout the attack, the Sunburst intruders maintained significantly high levels of operational security to avoid discovery. The Sunburst malware landed in its prospective targets and waited patiently for two weeks before initiating any activity. Now imagine being the cybersecurity leader at the organization identified by name in this intrusion that affected thousands of customers. That was the situation Tim found himself in, in late 2020. He joins me here today to share his experience and wisdom in dealing with one of the most significant cybersecurity incidents in recent memory.