If anything is guaranteed about the future, it’s that technological innovation will advance more quickly each year. But progress isn’t just for those with good intentions. The technology that empowers you can also imperil you, making digital risk management an existential priority for your company. Some of our most famous predecessors also face unprecedented obstacles, and their stories are more than good folklore. They provide us with principles that transcend time and space.
In his new book, Cyber War…and Peace, Nicholas Shevelyov shares how lessons learned from history’s most poignant moments reveal strategies to help manage risk in today’s and tomorrow’s digital landscape. His insight and analysis will introduce you to concepts that will increase resiliency within your organization, no matter its size.
This exploration of history, strategy in the digital world around us will challenge you to re-examine the past, solve new problems and embrace timeless techniques.
Drew Appelbaum: Hey Listeners, my name is Drew Appelbaum and I’m excited to be here today with Nicholas Shevelyov, author of Cyber War…and Peace: Building Digital Trust Today with History as Our Guide. Nick, thank you for joining! Welcome to The Author Hour Podcast.
Nicholas Shevelyov: Thanks Drew, thanks for having me. I’m glad to be here.
Drew Appelbaum: Let’s kick this off. Can you give us a brief rundown of your professional background?
Nicholas Shevelyov: Sure! I started my career in technology. Growing up, I was always the kid that was helping people set up their computer networks, whether in their home or their office. Got my undergraduate degree in economics but had an interest in technology. Started my career at a company called Data Broadcasting Corporation, which sold real-time data to individual investors. I got a mix there, of both finance and technology. From there, started to explore how to build networks, how to manage them.
By the late 90s I was managing a technology shop, storing and processing credit card information and the hackers kept trying to steal it and I thought, “You know, I got to learn more about this space in IT security”— we called it back in those days. I went to work for a gentleman who solved for one of the first Internet worms back in 1988. William Morris Jr. released a worm and this gentleman solved for it, sort of an antivirus solution. So, I went to work working for a specialized boutique security consulting firm, working for government agencies, and really worked on the “How do you break into networks once you break into them?” “How do you harden them and how do you protect them?”
That was a great experience. And then I moved on to Deloitte. Deloitte is one of the big four consulting firms and I focused on financial services and technology companies. And again, how do you manage risk in these types of organizations, how do you balance data privacy needs with the need for protecting an organization and applying good, sound cybersecurity architecture and strategy and practices.
It was doing that and one day, came to help out a small bank that was growing really fast, Silicon Valley Bank and about a year later into the consulting engagement, they asked me to start a security practice for the bank and I thought it was a great opportunity to build a security program and I built the cybersecurity program, the data privacy program the business continuity program.
For a while, I stepped into the CIO role to start a cloud-first mobile-first strategy. And now, I am back in the role of chief security officer for Silicon Valley Bank, but [am] in the process of hiring my successor. Over the rest of the year and early part of next year, I’ll be an advisor and then I will move on to my next big adventure; capping off sort of the 15-year stint at SVB.
25 years on the digital battlefield, the last 15 as a chief security officer, and here I am today, speaking with you about the book that I just wrote.
Drew Appelbaum: You’ve been in this space for such a long time. Why was now the time to share the stories in the book? Is there something inspiring out there for you? Did you have an “aha moment” or something as simple as a bunch of people came up to you and said, “Nick, you have a wealth of knowledge here, you got to write this down, you got to tell these stories”?
Nicholas Shevelyov: It’s a little bit of both. I had been speaking at conferences for years. I started to incorporate this concept of using lessons from history and applying it to digital risk management, in the space of cybersecurity. It really resonated with listeners, especially people that maybe didn’t have a deep technology or cybersecurity background.
Afterward, people were generous enough to come up and say “Hey, you should write a book on this topic!” And I kind of thought, You know, maybe someday I will. I just didn’t have the time. And then when lockdown happened, with the pandemic, I thought, now is the perfect time to sit down, write a book on this concept and see if I can give something to the community. Or maybe, [to] someone who doesn’t have a technology background, [who] doesn’t have a cybersecurity background but might be a business leader, who picks up the Wall Street Journal or any other journal and reads about all the different cybersecurity risk going on— whether it’s solar winds or the ransomware attacks— that by the end of reading this book, they’d have a better understanding of good sound security principles through the power of analogical thinking.
That’s how I used my time in lockdown, wrote this book, and went through lots of different iterations to kind of have a good summary of how to think through technology through the power of lessons through history.
Drew Appelbaum: Speaking of those iterations; you had the idea for the book, maybe you had an outline for the book… A lot of times, authors will have some major breakthroughs and learnings during their writing process. Did you have any of these major breakthroughs or learnings, maybe by digging deeper into some of the subjects or doing some research?
Nicholas Shevelyov: Yes! I started off with what I would describe as a brain dump. It’s more of a clinical approach to how to think about cybersecurity through the national institutes of standards and technology, critical security controls, and tying it back to lessons in history. What I learned through this process is, how do I tell a story? How do you approach this [in a way] that’s a little more compelling? How do you take lessons from history that are quite powerful— like The Code of Hammurabi and the building of ancient Babylon— and how the principles of that code, getting skin in the game, contributed to architectural excellence and had architectural excellence contributed to the Hanging Gardens of Babylon some hundred years later? And how that became one of the seven wonders of the ancient world.
When you take that principle and you tie it into the principles of sound architecture and technology— how do the two resonate. As I went through the process of the book, it really became more of, how do I find my voice and actually incorporate a little bit of my background to tell a story that can resonate with the reader so that at the end of the book, they felt like, “You know what? I’ve learned a few things that are going to slightly shift the way that I think about my investments at inception.”
Cybersecurity is For Everyone
Drew Appelbaum: When you were writing the book, in your mind, who were you writing it for? Because you’ve mentioned a few audiences. You’ve mentioned people who don’t have much knowledge in the space. What about people who do have a lot of knowledge in this space? Or what about just a business owner who has never thought about this before?
Nicholas Shevelyov: I wrote it for someone who is— hypothetically, they’re getting on a plane and they’re going to be a flight for three or four, five hours. They’re a business leader. They have skin in the game for protecting their organization in some form or fashion. You might be a CFO who is financing cybersecurity investments. You might be a Head of Product. You might be even a CEO! You keep reading about all these different breaches and you want to learn more but you don’t know where to start. You pick up this book and through the power of storytelling and analogical thinking, you learn more about sound practices so that you can have a discussion, not just with your internal leaders in technology and security— If you don’t have them, maybe engaging with consultants but you can also have— start to have a conversation with the board of directors and other stakeholders in your organization to understand, are we thinking through sort of the layers that we need to apply in defending our organization? The good hygiene that they need, not just from technology but from the process itself. And how do we think through resilience for a business that is on the Internet and in the 21st-century digital economy?
Drew Appelbaum: Is there anything that readers can do or need to do to prepare themselves to start the book? Or, is there anything that they could do before starting the book to make sure they’re getting the most out of the book?
Nicholas Shevelyov: You know, if you’re curious and you’re interested in this topic and you want to learn more and maybe connect the dots on some principles, I think that’s all you need. It doesn’t require any sort of specialization or background. I consider myself a specialist in cybersecurity and technology, and in privacy. I hopefully have been able to take that ability, that experience, and expertise and apply it in a way that a reader from almost any background can appreciate the content.
Drew Appelbaum: Digging into the book itself, you actually start the beginning of the book, talking about your own life and what it was like growing up partially in the United States, partially in Russia and how that led to your appetite for technology and just a democratization of data and information.
Can you tell us a little bit about those younger years and how you got motivated to get into this field and to learn more about data?
Nicholas Shevelyov: Sure! I was born in the Pacific Northwest to two Russian immigrants, who themselves had been born in China and immigrated to the United States. And at that time, in the early 70s, we were at the height of the Cold War and Russian American relations weren’t great. We were Russian, had a Russian last name and it wasn’t a really friendly environment.
We moved back to the Soviet Union. My dad took a job with the state department and we had some interesting experiences in that my dad was a former marine and he is now working for the state department. He’s living in the Soviet Union and what we found was that we were assigned an apartment that was bugged. So, we found that when you have something important to say, you go and you stand next to a sink— maybe in the bathroom or the kitchen— you run the water and you talk over it because that blocks the bugs from listening into your conversations.
When you went out with a friend, a local friend, [you needed to] be aware that that person was probably building a dossier on you to report back to the KGB. All that kind of came to fruition; my dad ended up publishing an accurate map of Moscow, which was a no-no back in the day, and he was taken away. He was taken away and interrogated. And when he came back, we left everything and moved back to the United States. We were quite poor.
Money transfer wasn’t as easy back in those days and we started from scratch again. So, I kind of grew up— but my dad bought a computer early in those days and I was responsible for setting it up and configuring it and making it work. And I just sort of fell in love with technology.
I fell in love with the idea that I could be in a garage, connecting up to a bulletin board service and listening and learning about people sharing information around the world. I thought this is really what I want to do in my career and so, I took a practical approach and got a degree in economics but was always involved in technology in some form or fashion.
I really loved the idea of information, democratization, right? Being able to have people have free access to information all around the world. But what I learned relatively early in my career is that the very technology that empowers us may also imperil us.
I talked about how I was running a technology organization that was processing credit card data. People tried to steal it. They tried to commit fraud and I realized that I want to not just enable, I also want to protect. I want to take the lessons that I learned as a kid where we were being listened in on and what our lives in some forms or fashion were even at risk.
I wanted to provide protection. So, my interest in data privacy and cybersecurity, they all tick and tie together. The tradeoffs are that if we can’t have privacy without security but too much security may infringe on data privacy. And how do you balance that in a world where more and more of us are connected to one another.
It’s those experiences as a child that developed the point of view in my adult life and it’s been able to allow me to have a very fulfilling profession and a career that gives purpose and meaning to my values and to my interest as well.
Drew Appelbaum: So, fast-forwarding to today, considering the tech that’s in everybody’s home— it’s in everybody’s hand or their pocket or their pocketbook— why aren’t folks spending time thinking about how these new technologies might introduce risk in their lives?
Nicholas Shevelyov: We’re all super busy, right? Technology can make things so easy, so much easier in our lives. But sometimes, it’s worthwhile to pause and think, what are the possible outcomes here? Am I doing something to promote and enable myself and if so, what’s the flipside of that? Hopefully, the book helps us think through the pros and cons of various things that we do, everyday behavior in our life, but technology is fantastic.
It makes the world a better place. I think that innovation improves the human condition. It is just being forewarned and forearmed about the tradeoffs of doing it and how to protect yourself with sound practices, how to protect your business with good hygiene, first and foremost in order to get the best out of the enablement that we have in the digital world today but also protecting ourselves so that we ourselves are safe and our organizations are safer as well.
Learning From Failure
Drew Appelbaum: Now, to get to this point where you are, you had to have some great successes but also some failures and you talk about it in the book that you learned from success but the lasting and meaningful lessons actually come from failure. Can you talk about some of those learnings you had from failure throughout your career?
Nicholas Shevelyov: Sure. I think that experiences such as defending an organization or hardening a data center and maybe making certain assumptions about knowing your total inventory or the capabilities of that inventory that I made earlier in my career are the ones that sort of could burn you the most. Some years ago, Nassim Taleb wrote a book called, The Black Swans, black swans around big surprises, right? The unknown unknowns out there.
I have a chapter in the book that I call The Red Swan, the known knowns that just ain’t so. There is a quote from Mark Twain around that. How do you take what you believe to be true and institute a set of principles and discipline of continuous validation at the appropriate frequency and the appropriate efficacy? In my case, it was lack of a complete asset inventory that had led to compromises of certain systems and applications, who in themselves once compromised try to propagate that compromise and infect other machines. And it created what’s known as a broadcast storm and basically, made those resources inaccessible.
What I learned in that is when you’re going through a data security event like that, it feels like you’re going through living in hell. It’s not that you wake up in the middle of the night, you just don’t go to sleep, right? You’re in 24/7 war rooms. What it instilled in me is, I didn’t know all the assets and that burned me. How do I learn from that and how do I institute in my mind a mindset of continuous validation with the appropriate frequency, the appropriate efficacy, and understanding that entropy is king?
You can’t just set it and forget it in technology and in cyber risk management because entropy will set in, and how do we continuously look for that and ensure that we’re dealing with the entire landscape appropriately? That was an example of one of the lessons learned that I call scar tissue and how do you learn from that scar tissue.
Applying Lessons of From the Past to the Future
Drew Appelbaum: I know that was probably a horrible moment for you but some of these tactics that people use are super interesting like synopsis, very cool. Going back to the book— and you talked about this earlier too— I think one of the more interesting things that you do and what makes a really great read especially for history buffs is that you use major historical events in the book as lessons for today’s business world. Could you name a few of the events in the book that you describe and maybe dig a little deeper into one of them and tell us how it might correlate into a business lesson?
Nicholas Shevelyov: Yeah, absolutely. In the book, I talk a little bit about a story my father told me about a Spartan boy. I’ll let you read the book to learn more about it but, the Spartans are famous for being some of the great soldiers of antiquity. 10, 15 years ago, in fact, there was a movie about 300 Spartan soldiers that held off almost a million-man Persian army for three days buying time for the Greek city-states to organize and defend Greece against the invasion by the Persian empire.
Those 300 Spartans were complemented with some other soldiers as well but they were able to hold off a million-man army by managing the attack surface. They organize themselves at Thermopile, which is a very narrow piece of land, and they were able to defend that narrow piece of land. If they had met at an open field with the Persian army, they would have been encircled and crushed in an hour. But they were able to hold off that army on that tight piece of land, they held the gates of Thermopile for three days.
The lesson there is that all of us face technology sprawl, the sprawl of our attack surface. It keeps growing and growing and how can we use the lesson in a previous chapter around sound architecture and translate that into managing our attack surface in the digital world so that our security operations, those operators they can manage where attackers can attack an organization. They can have jump boxes where people can go to and from there, they can conduct privileged activities.
It kind of builds on the first chapter that talks about architecture and this chapter around the Spartan 300 and managing the attack surface talks about leveraging architecture to narrow the field of battle to set your organization up for a win.
Drew Appelbaum: After finishing the book, what impact do you hope it will have on the reader, and do you hope that they will take any steps in their personal or professional life after finishing?
Nicholas Shevelyov: You know, it will be great if after reading the book— I start the book with ancient Babylon and kind of move through history tying it back to the various critical to controls—and I wrap up back in antiquity with the Trojan war. I talk about the concepts of Bay and Midas and how Homer captured this concept of Bay and force. [I talk about] the character of Achilles and Midas’s cleverness and [how] he captured that with Odysseus, how organizations need to think about where they will be forceful and where they will be clever, and how that translates in today’s world where we have digital Trojan horses all the time entering in our organizations.
What I really hope at the end of the book, the reader first and foremost, they enjoyed a good story. It’s a quick read and a fun read— hopefully, from what I’ve heard from others. So hopefully, they’ll enjoy it. But also, a seed would have been planted on asking yourself, “Hey, are we thinking about architecture correctly? Are we managing our attack surface? Are we treating issues with the appropriate degree of severity? Do we have any bias being built into our decision making, and how are we thinking about the decisions that we make so we’re balancing probability and impact a little more holistically?”
If you come away with that sort of idea and an eagerness to learn more, then I’ll feel like that was time well spent.
Drew Appelbaum: Nick, we just touched on the surface of the book here but I just want to say that writing a book that will help educate folks on just the importance of cybersecurity and the lessons of our past is no small feat. So, congratulations on having your book published.
Nicholas Shevelyov: Thank you so much.
Drew Appelbaum: I have one question left. It’s the hot seat question. If readers could take away only one single thing from the book, what would you want it to be?
Nicholas Shevelyov: Those who do not know history are doomed to repeat it. Take lessons from history and apply it to our future in the digital realm.
Drew Appelbaum: That’s a classic. This has been a pleasure, Nick, and I’m excited for people to check out this book. Everyone, the book is called Cyber War…and Peace and you could find it on Amazon. Nick, besides checking out the book, where can people connect with you?
Drew Appelbaum: Nick, thank you for taking some time to come on the podcast today, and best of luck with your new book.
Nicholas Shevelyov: Thank you, Drew.