History Lessons for Modern Cyber Risk (EP 826)

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we try to help you run your business better, smarter and faster. Today folks, I think what we're going to end up doing is dropping a whole bunch of knowledge. And one of the things that we have talked about in recent years is how we need to step our game up when it comes to cybersecurity.

We talk about doing Viso services, and I actually got introduced to somebody who actually can speak to this and speaks to it from a very high brow point of view compared to most of us. Today I have with me Nicholas Shevelyov, and he was a former chief information officer at Silicon Valley Bank. So this is not somebody that just kind of stepped into a role at a little old B2B business or something like that.

I think he's going to have some very good insights for us. He's got a company now called VCSO.AI. He's the CEO and managing partner there. Nicholas, welcome to the show.

[Nick Shevelyov]
Hi Marvin, thanks for having me.

[Uncle Marv]
Thanks for being available to come on and share some knowledge with us. Cybersecurity, as I mentioned, is getting to be huge these days.

[Nick Shevelyov]
It has a bigger role in our lives every day, right? The more we digitize our lives, the more we digitize our economy, the varied technologies that are empowering us are also imperiling us. And cyber risk management is there to help us manage that risk.

So yeah, very relevant today and only getting more so.

[Uncle Marv]
Now, I should also mention to everybody here that some of the stuff we're going to talk about is actually out of a book that you wrote called Cyber War and Peace, Building Digital Trust Today with History as Our Guide. And it's a bit of a mouthful, but what prompted you to actually sit down and write this book?

[Nick Shevelyov]
You know, Marvin, I've spent many years speaking at conferences and about 15 years ago, I began to talk about analogical storytelling. I can talk about vulnerabilities and I can talk about security risks, but I really wanted to help audience members empower themselves to speak more adroitly with their constituents. And I was a chief security officer and a chief information officer from 2007 to 2021 at Silicon Valley Bank, and we were a global publicly traded bank.

But in the back of my mind, I was always a chief translation officer. So I wrote the book to help operators and practitioners in technology, in cybersecurity, learn about analogical storytelling, taking a real historical event, translating it into how business leaders can think about the cyber risks facing their organizations and have fun telling a story. And so each chapter has a lesson from history and there's a story there and then it translates to a security principle and down to an actual control as defined by the National Institutes of Standards and Technology.

So it was an idea that I talked about for many years. When lockdown happened with COVID, I sat down and I wrote the book and that was an interesting experience, challenging, and then editing the book was even harder. And then it published in August of 2021.

I stepped down from my operator role, went on a book tour, left the bank on my 15-year anniversary and started VCSO AI, a cybersecurity advisory firm helping companies think through cyber strategy and helping cybersecurity product companies build better products.

[Uncle Marv]
All right. So you did the book during COVID. So I imagine that was a fun time there.

We were stuck at home. So a perfect time there. Let me ask real quick, just to set the stage, Silicon Valley Bank.

Of course, most of us in the tech world, we hear Silicon Valley. We know that that's where the tech industry booms loudest. So as far as Silicon Valley Bank, are you able to tell me, did you guys work with a lot of those tech giants out there?

And is that one of the things that made it such a great position to be at?

[Nick Shevelyov]
Yeah, great question and spot on is that I've been very fortunate through proximity, being here in Silicon Valley, but also having an executive seat at Silicon Valley Bank. So my background was very technical in nature. Originally, ultimately doing attack and pen work and then working at Deloitte for a number of years in cyber and data privacy.

And in 2007, I joined the bank as their chief security officer and privacy officer. And I became accountable for defending the bank globally. And we became the global bank of the innovation economy.

So at one point, we banked approximately 80 percent of all the top tier venture capital and private equity backed intellectual property around the world. So think about when Facebook was getting started. We gave them their first checkbook.

When Palo Alto Networks was getting started, we were design partners and were helping define their roadmap. And that later became a huge cybersecurity product company. When FireEye and Zscaler were just getting started, we gave them loans.

And because we gave them loans, we got introductions and we worked with them as design partners in order to build solutions that we could use. But also they would then go and sell in the market. And so that was a unique period in that from 2007 to 2021 to get to work with all these startups, see a lot of them go away, but some of them become very big, very relevant companies, a very unique and special opportunity and formed a lot of incredible relationships and got to be plugged into the ecosystem with a very unique perspective.

So that was a unique benefit to being in that seat. And for two years, I became chief information officer as well to adopt public cloud and agile software delivery methodology safely in a highly regulated environment. We were regulated by the Federal Reserve Bank and then ultimately stepping down in 2021 on my 15 year anniversary.

[Uncle Marv]
Yeah, very nice. All right. I can ask you a ton of technical stuff because I have one financial client and the stuff that we have to go through with them is astounding compared to all my others.

But let me ask you this. One of the things that when we were prepping for the show, one of the things that stuck out to me is that you spent a lot of time helping people translate the world of cybersecurity to. I don't want to say board level executives, but a lot of times we as techs, we have to talk to our clients and they're not well versed in tech all the time, some of them might even be in tech, but they don't know what goes behind cybersecurity and that sort of thing.

And a lot of what you did and are doing is helping to set the proper framework on how we as techs can talk to those people. Tell me how that evolved over all of this.

[Nick Shevelyov]
So great question. Having to present quarterly to my board of directors and audit committee at a publicly traded bank, heavily regulated by the Federal Reserve Bank, you build that skill up over the course of time, you learn firsthand what works, what doesn't work. And a board of directors will typically have very seasoned, experienced people with a background in finance.

So these are smart people. But when you talk cyber to them, it may not be translated effectively. So I decided to educate myself and I got my MBA to kind of help understand how to speak to a CFO and start thinking about value at risk from a cyber perspective and translating that to quantitative models that a CFO would understand.

I spent time studying with a gentleman named Nassim Taleb, who wrote The Black Swan, who I ultimately learned from about don't blow up, containerize your risk. I worked with Jack Jones, who later started the factor analysis of information risk, which is now a methodology that lots of banks use to measure their risk. And then I spent time with Doug Hubbard and Richard Searson, who were the authors of How to Measure Anything in Cybersecurity.

Doug was also the author of How to Measure Anything. And so this standing, standing on the shoulders of giants, I learned how can I balance qualitative and quantitative risk models in a way that boards can better appreciate and understand. And so this is where the combination of that qualitative analysis, quantitative support, but also including some analogical storytelling, effective analogical storytelling, help the audience with empathy better appreciate what I was communicating to them.

I also sit on the board of directors of the Bay Area CISO Council. So these are some of the largest companies headquartered here in Silicon Valley. So I get to, on a monthly basis, listen to what's working and what's not working with other CISO operators.

And then I also sit on the board of CoFense Fish Me, where about a 60 million ARR fishing company. And so it's really listening, learning. Taking examples from my peers and applying it in a way that ultimately it's a win-win for everyone.

I'm able to communicate the risk, the value at risk, the annual loss expectancy, tie it to some financial numbers. Think about, you know, what's the return on investment in reducing those risks by understanding your inherent risk and your residual risk after the implementation of a certain control, and then helping the audience get smarter and more informed along the way on this topic.

[Uncle Marv]
All right. You mentioned NIST earlier, so I'm happy that I understand that framework. There's some of the other ones that I probably don't recognize.

But you mentioned this whole idea about, you know, being able to explain these. But it feels like we need to adopt kind of a CEO or board level perspective ourselves. And is that something that the book can help us do where we can kind of, I don't want to say raise ourselves up to the level, but, you know, you know, even the playing field so that we all understand what it is that we're talking about?

[Nick Shevelyov]
One hundred percent. So towards the end of the book, I cite the National Association of Corporate Directors, which is a body that trains boards on various topics. A number of years ago, they published a guidance on technology risk management for boards.

And so I give credit to them in the book and point to it and sort of integrate some of the questions that they ask. So this is a publicly available document. You can pull it from the NACD website.

And they partnered with the U.S. government. And there are questions that boards are encouraged to ask, such as, do we have a cyber expert on our board? Does that board member encourage dialogue with other board members?

Do we understand the reports that are being presented to us? Are we able to offer credible challenge? The list goes on.

I've distilled that into top 10 things that boards should be asking themselves on cyber. I'm happy to share that with you, Marvin, as well as your audience members. But there's certainly guidance out there.

So that's one body. That's the National Association of Corporate Directors, which I cite in the book. But I've also been interviewed by Diligent.

Diligent offers a digital platform for boards to receive their board packets. They also have risk training. So slowly but surely, we have more tools at our disposal to learn and be more effective at both presenting to boards but also being good board members to understand how our business is managing the risks it faces.

[Uncle Marv]
All right. And those sounds like simple questions to start with. So it's not like we have to get out of the gate speaking tech.

Those are just pretty straightforward, simple that most people would understand.

[Nick Shevelyov]
One hundred percent. I would keep it simple, right? And complexity is the enemy of not just cybersecurity.

Complexity is the enemy of everything, right? I think that if you truly master a topic, you can simplify it and really get to brass tacks.

[Uncle Marv]
So I think if even if we didn't have your book to go by, I think most techs would at least acknowledge that there's one historical lesson that we have equated to tech security, cybersecurity, and that is the idea of the Trojan horse. We know that story. We know that's where the name Trojan came from.

But a lot of the stories in your book don't necessarily come to top of mind when it comes to tech stuff and specifically, you know, the 300 Spartans. You know, I saw the movie The 300 and nowhere during that movie did I think tech or cybersecurity.

[Nick Shevelyov]
Right. That's a good chapter to pull out. I saw that movie as well.

I learned about the story as a boy. And interestingly enough, I find that we remember stories from our childhood. You might not remember what you learned in second or third grade, but I think you might remember the stories your parents told you and what you learned.

And so very much the power of storytelling and how it resonates with our memory and our feelings and our emotions resonated and inspired me in part to write the book. And so the chapter talks about how the Persian Empire invaded Greece and the various city states were not prepared for that invasion. So 300 Spartan soldiers marched off and engaged with roughly a million man Persian army at Thermopylae, known as the Hot Gates.

Now, as the movie points out and the story points out, there was a little more than 300 Spartans. There were some auxiliary troops as well, but the real professionals there were only 300 Spartan soldiers and they held off the Persian army for three days and three nights buying the Greek city states time to marshal their armies in order to defend themselves. And so why did I choose this chapter?

One, it's something that a story that I think that is in popular media and awareness thanks to the movie, but also because the Spartans did something really interesting. They picked their battles, they picked the battlefield on where they wanted to engage the enemy, and they picked this narrow strip of land called the Hot Gates where 300 men could face off against a million man army. Now, ultimately, the Persians found a route to encircle the Spartans and ultimately they all died.

But what they did was they bought time for the rest of Greece. And so in picking their battles and engaging with the enemy where they wanted to, the lesson here for technologists and MSPs and cybersecurity professionals is we want to pick our battles in cybersecurity. I never want to go into a fair fight with the adversary.

I want to know where I'm going to engage with them. And in legacy environments, we can have jump boxes where you throttle traffic into your network through the jump boxes. You can narrow where you have access to the keys to your kingdom.

In cloud, there are other techniques that we can use. But the point being, we want to manage our attack surface. We want to manage where our threat actor adversaries can do harm to us.

And we want to understand where those hot gates are for our organizations. And we want to crowd our control capabilities in those areas. And once we have the control capability, we want to make sure it's configured correctly and that we have the right scope of coverage.

Right. Capability, configuration and coverage. And that's the lesson from the chapter is that the Spartans, they had the best soldiers.

They had the capability. They were configured correctly. They had their swords and their shields and they had the right coverage.

They had 300 men to defend a narrow point of entry. And we want to think about similar network architecture and defenses, both for legacy environments and for how we architect cloud. I'll pause there and see if that makes sense.

[Uncle Marv]
It does. In the back of my mind, I'm starting to think about all the other ways of narrowing the attack surface with segmentation. But I was also thinking we've done a couple of shows recently on network monitoring and the ability to see everything in or around the network is huge as well.

And I think that that played into the 300 strategy is they picked this place where they could control the narrative. And we as service providers need to do the same thing. We need to control the narrative of traffic in and around our network so that we can manage that almost to the sense of what the phrase I was thinking the other night, chokehold, you know, where you were talking about the jump boxes and stuff where in a degree, I was thinking that that was kind of a chokehold where the 300 were able to channel the army into going.

Does that make sense?

[Nick Shevelyov]
100 percent. You nailed it.

[Uncle Marv]
All right. Ah, research pays off. All right.

So let me go ahead and let you then, I guess, guide me the rest of the way in terms of how we can look at whether it's your book or whether it's the philosophies that you're teaching us, you know, about how we need to come up with this practical framework for risk management.

[Nick Shevelyov]
Sure. You know, and I'll I won't go chapter by chapter through the book, but I'll kind of frame it. And one is the philosophical and cultural mindset of the Romans had.

And they had a saying in Latin Civ and Victim Parabellum, which translates into those who wish for peace prepare for war. And so we are businesses. We need to know if we wish for peace, we must prepare for war.

And that means having people, process and technology that are there to help us manage our risk in the digital world. And so starting with that mindset, we need to get skin in the game as we architect, as we build. We need to have a mindset where we've got skin in the game.

And one of the chapters in the book talks about how the Code of Hammurabi in ancient Babylon. Babylon was having architectural challenges. Buildings were collapsing and killing people.

And the emperor Hammurabi created the Code of Hammurabi, one of which was that if you are the architect of a building that collapses and kills someone, that'll be your fate. You will also have a wall collapse on you. And all of a sudden, architects had skin in the game and they cared a lot about outcomes.

And a few hundred years later, they had developed the hanging gardens of Babylon, which were one of the wonders of the ancient world. And so Hammurabi got skin in the game. And it's so important that we have skin in the game, that as we're making decisions that have risk outcomes for our organizations, we do that with that sense of ownership.

And as part of that, the next step is around know thyself, know thy assets. Marcus Aurelius was a Roman general whose diary became a book, and that book is called Meditations by Marcus Aurelius, and he was a Stoic philosopher. Roughly the same time, a Chinese general named Sun Tzu wrote The Art of War.

And interestingly, both military leaders talked about know thyself, know why people, know thy assets and know thy enemy. And that will help you in war. And in cyber war, we need to have asset inventory.

We need to have application inventory. We want to inventory our data. We want to start to quantify our value at risk.

What's a simple quantification? If the IBM data breach report suggests that a PII record, when lost, costs an organization $165 a record, we can do back of the napkin math and multiply your total number of PII records by $165, and we've got a straight line risk. Now, there's a curve to risk, and the first record you lose is going to cost you a lot more than the last record you lose due to certain economies of scale.

But we can start to ideate on ways to measure our value at risk within our organization. So these are some of the lessons that come out of the book. I talk a little bit about data privacy as well.

I kind of think about security and privacy as two sides to the risk coin. You need to think about both. And a lot to know security results in no privacy, but too much security can infringe on your privacy.

And so how do you navigate various laws, rules and regulations domestically and globally as you think about managing your risk in that space? I'll pause there, Marvin, and see if you want to double click on any particular areas.

[Uncle Marv]
Well, I was I was thinking about, you know, the historical aspects that you were bringing. And, you know, when you were talking about the art of war and stuff, I think we understand know thyself and know our assets. That's an easy thing.

But the concept of know your enemy is something that I think a lot of us shy away from. There are people in our industry that will go out and venture on the dark web and they'll try to figure out, you know, how hackers are doing certain things. But it feels like we probably need to be a little bit more in tune with what is really happening out there.

So I was going to ask, you know, how can we, you know, be on both sides of the coin of knowing ourselves and knowing our enemies when we really, you know, none of I don't want to say none, but most of us are not of the mindset of a hacker or, you know, a cyber-attack artist or anything like that.

[Nick Shevelyov]
Yeah, and, you know, again, kind of I was lucky as I got to do attack and pen work, red teaming work early in my career with a US secret clearance and I got to develop that mindset and perspective. And so I have incorporated it into how I think about defending organizations. I'd start off by saying first, be excellent in the basics.

Right. Have that asset inventory that we talked about. Have the key controls, the right capability, configuration and coverage.

So table stakes is FIDO2 compliant, phishing resistant, multifactor authentication. We got to have that. And then we want to have privileged access, step up authentication.

And then we see we think about excellence in the basics. We can start to evolve to include some sophistication in understanding how threat actors view us. And there are open source threat intelligence fees that we can subscribe to.

There are paid services that scan the dark web. And then as you become more sophisticated and you have an appetite to do something about it, because once you get bad news and then what happens, what are you going to do about it? Then there are certain services that you can subscribe to that track what I would describe as digital exhaust is where are your partners leaking data about you that can then be used against you in a world where we continue to have phishing breaches.

We are now seeing a lot more deep fake attacks. All of this becomes relevant as we build more cohesive defenses for our businesses. So that's how I would think about the steps of maturity.

Marvin.

[Uncle Marv]
OK. Real quick, before we go on, I probably should have asked this at the very beginning in terms of when you were writing the book, did you have a person in mind? Because I know that we've talked about being able to explain things to business owners and corporate executives.

But a lot of cyber security professionals should find this book interesting. But did you have anything specific in mind when you're writing the book? And have you learned anything different about who really should be reading the book that isn't?

[Nick Shevelyov]
Yeah, you know, I wrote the book for the business leader who wants to learn more about cyber in a way that is comprehensible for them. So a C-level executive and or board members, business owners, people who care about risk outcomes for their organizations and for practitioners who want to be able to translate the risks that they're describing in a way that their audience can better appreciate. And so for your listeners, Marvin, this could be the heads of an MSSP who want to translate the value proposition to clients and prospects and use analogical storytelling to help translate that risk and why an investment should be made in managing their technology in one form or another.

[Uncle Marv]
OK, all right, so. Those three stories that we started with, I brought up the Trojan horse and then we talked about the 300 and Marcus Willis and stuff. Those are all popular stories that I think people at least would have an affinity to.

Is there a story in the book that maybe. Wouldn't stand out as one that people would know about but has a huge impact on how we should approach, you know, talking to our executives.

[Nick Shevelyov]
You know, one might be the invasion of Normandy and survivor bias. So during the Normandy invasion, during World War Two, the allies were invading the beaches of Normandy and the B-17 bomber was a bomber plane that was used to drop bombs in advance of their invasion. And they had a high mortality rate, meaning a lot of them were being knocked out of the sky.

And the planes that were returning, they were being analyzed by what we now call the Air Force. But this was an element of the U.S. Army at the time. And their analysis showed that the planes that are coming back, a lot of them have their noses blown off and we should fix and harden the nose and maybe that'll help.

And there was a mathematician named Abraham Wald who said, actually, no, you're doing you're doing this exactly the wrong way. You're only sampling the survivors of the battle that are returning and you are suffering from survivor bias, meaning you're only looking at the planes that are coming back. But if you sampled all the planes that were going out, the ones that aren't coming back are the ones that are being hit in the areas of the planes that are coming back that are untouched.

So there's lots of great articles about this. And so it's survivor bias and sampling bias that happens when we just look at the survivors of the Normandy invasion. And the way we can translate that is when we have cybersecurity breaches, when we have ransomware attacks, when we have malicious software that spreads on our network, we're typically biased to just look at the impacted systems to see what happened.

And the encouragement is to step back. And once you do your forensics analysis, have a better understanding of where your defense has worked and where they didn't work and have us and don't fall to one of the sort of the biases, survivor bias as well. And so it encourages more holistic thinking on defense in depth and how we think about layers of protection and where they succeed and where they fail and understand where we course correct in our strategies from those lessons learned.

[Uncle Marv]
All right. For some reason, I was hoping you'd bring up the Napoleon.

[Nick Shevelyov]
We can do that one as well. There's a couple of chapters, you know, the greatest battlefield tactician of all time. He gets two chapters.

Did you want to talk about Austerlitz? Was that the one or Waterloo?

[Uncle Marv]
And Austerlitz was the one that I was referring to. And it was funny because I think when we when we think of Napoleon, all we think of him as just being a short man. Associated with imposter syndrome for some reason, but at least when I was looking at this, the whole idea of Napoleon being able to.

You know, know when to hunker down and know how to be resilient and how to I guess trick. His enemies into a trap, that's what kind of stuck out to me, is that how it was supposed to come out?

[Nick Shevelyov]
Yeah, that's a great summary. I'll kind of add to it is he was an innovator, right? He introduced elements that had not been done before.

So he would not march, stop, eat, or sleep. They would live off the land. So his troops moved very quickly by living off the land.

And two, he was the first to break his armies into army corps that could move independently but joined together at the battle. So an innovator for sure. He would also say never paint a picture of the battlefield.

It's too dynamic and a picture is static. But one of the things he did at the Battle of Austerlitz, which is widely accepted as his greatest victory, he was outnumbered against the Austrians and the Russians. But he arrived early to the battlefield and he would walk the field of Austerlitz.

And this was his he would actually personally understand where morning mist would come in the territory, the hills. And he talked about the map is not the territory, but you need to understand both. How are you mapping it and what is the territory?

And so he used the actually the mist that would roll in to Austerlitz in the morning to hide his troops. And so he engaged with the Russians and the Austrians. And then he flanked them with the hidden troops in the mist.

And so the lessons for us is kind of going back to know thyself, know thy territory, know thy the assets. But actually, what are the cadences within your network? How are different elements of your network different from one another?

What's normal? What's not normal? And you want to keep mapping out that territory and understanding the lay of the land is the lesson from that chapter.

Is that kind of what you got out of it? Or is there anything else you want to add?

[Uncle Marv]
No, that was fine. That's obviously better than what I said, because I was thinking of it from the standpoint if he was using all of that information, you know, to gain a better advantage, I guess, of the situation. And you're right, bringing the changes in the way that the troops, you know, interacted together where it just wasn't one troop, he could break them apart.

It was pretty good there. When we look at that, though, from a security posture, I know you just mentioned, you know, all the things that we could do in terms of, you know, knowing, knowing the field, going back to know thyself and stuff. But how can we translate that into.

Constantly evolving threats and client environments, I mean, our client environments are not static, like he talked about the picture, they change all the time. We've got to find a way to keep our documentation up to date. We've got to have network monitoring.

I just called I called an office this morning because I had a device that went down and came back up and a new device popped on the network that wasn't supposed to be there. And it was funny because when I called, she actually picked up and she goes, let me guess. You noticed I moved my computer.

I said, I said, yeah, but you've also got a phone plugged into the wrong port and stuff. And so from that perspective, that client thinks that I'm on top of it by knowing what's going on in the environment and stuff. Now, I know that that's just, you know, a little basic and not huge, but.

You know, part of me sees all of this as part of the strategy where we need to have that, you know, knowledge of the field and be able to have that dynamically changing vision with all of that.

[Nick Shevelyov]
Yeah, you have observability into your client's network, which is essential to managing network health. And we have network operation centers to do that, but also critical for security health. And we have security operations to do that.

And you're monitoring the right stuff. And so I think that the takeaway and maybe the lesson from what you're doing with your client, Marvin, and for all of us is to have gradual enhancements in observability into our networks, understanding what's normal, what's not normal, setting baselines with thresholds. And when we deviate from certain thresholds that some bells and whistles go off and then what happens, right?

An alert goes off and then what happens? A lot of operators deal with alert fatigue or how do we tune the alerts to be effective? How do we watch out for false positives and how do we test that we're measuring for the right thresholds?

So those are the items that come to mind as we're trying to monitor a network. You can't defend a network if you don't monitor it. And so you need to do it with actionable intelligence and there's ways to do that with humans.

There's now AI capabilities that can complement humans and augment humans. And so those are the various things that come to mind as we think about monitoring and protecting a network and having the right observability.

[Uncle Marv]
All right. So, yeah, tons of chapters about history that could help us frame this. I don't want to leave out what I think might be just as important is that you have a lot of templates and exercises and stuff in the book.

Some of them are even, I guess, exercises that, you know, can kind of help us. Have you gotten feedback about which ones have been most impactful or do you have any that you would say, if you're going to look at this and try to cherry pick, these are the ones to start with?

[Nick Shevelyov]
You know what? I end up doing a lot of board work. So some people have said tabletops have been really fun and useful.

The value towards security and associated costs were great. The sliding scale of security where if you invest enough in architecture up front, you reduce the amount that you have to spend on security later. But the ones that I think end up getting people's attention is, you know, how do we translate these sort of risks at the board level?

What's the guidance? I mentioned earlier the guidance that I've shared based on the NACD. Some people have enjoyed the corkscrew thinking exercise, which is what we call today out of the box thinking.

And so that's been part of the fun part of publishing a book and going on a book tour. And then continuing to speak at events is hearing feedback from folks and seeing how they're using it in different ways. And so that's been some of the feedback over the years, Marvin.

[Uncle Marv]
Okay. And I guess one last question that we didn't get to, but we had talked about before. The concept of technical debt.

[Nick Shevelyov]
Right. That, you know, it's a byproduct of our own success and how long we've been in business. Right.

The older a company is, the more tech debt they probably have. And these are just, you know, old systems. Maybe they're not fully patched for performance.

Maybe they're not fully patched for security. Maybe there's less interoperability and we want to adopt new tech like in the cloud or even new AI tech. But due to interoperability challenges, we have that legacy debt.

And so how do we refinance our technical debt at lower interest rates? How do we upgrade old systems and old architectures? How do we make sure that the bad news that's embedded in those systems from lack of being able to patch them, that we do something about?

Bad news doesn't age well. And bad news doesn't age well in cybersecurity. And so we have critical vulnerability exploits that are published.

And it's true that only 5 percent of the critical vulnerability exploits are actually exploited and they end up in the known exploitability vulnerability database published by CISA. And then you can look at first.org forward slash EPSS, where I'm a contributing working group member, where we think about the exploitability of a critical vulnerability. But once you have a critical vulnerability that's been out in the wild, exploited and it's reachable from the outside world, that's been a long time coming.

It's bad news and you need to do something about it. So those are all the elements of technical debt that I think about. And we want to invest in technology and invest a portion of that technology in securing that technology in order to have resilience within our organizations.

[Uncle Marv]
All right, Nick. We just threw out a whole lot of stuff there in a short amount of time, so I want to make sure that people know that the book, I will have a link in the show notes again entitled Cyberwar and Peace, Building Digital Trust Today as our guide. And obviously, you're going to learn from history how to manage today's digital risk.

Of course, what is it, building digital trust? One of the things and of course, the practical guides with the checklist and guides throughout the book there. Nick, like I said, this is a lot of stuff.

I know that we kind of jumped all over the place. Is there anything that you think I missed in asking you about that? We want to make sure listeners take home.

[Nick Shevelyov]
You know what? I think we covered a lot. Marvin, I appreciate you having me on the show.

Excuse me. And, you know, my entire business is based on referrals, so I'm grateful to be here. Reach out if you want to talk more and I'll bid you a good afternoon, sir.

[Uncle Marv]
All right. There we go, folks. Again, Nick Shevelyov and CEO at the VCSO.AI. I'll have a link there. We'll have a bio there. Nick has over 25 years of experience where he's been doing consulting, executive and advisory roles. And you heard of his tenure at Silicon Valley Bank, folks, somebody that you really should pay attention to.

And you've spoken at a couple of big industry events, too, right, Nick?

[Nick Shevelyov]
Sure. I've spoken at a ton of cybersecurity events, industry events, accounting events. You name it.

Anyone who's interested in cyber, I've probably been there over the year. So it's a big part of growing the network. It's fun and it's interesting.

[Uncle Marv]
I'm going to have to find out where these cyber events are and make sure I get to see you and meet you in person. But Nick, thank you very much for coming on and look forward to chatting with you again in the future. And I'm going to go back and finish the book so I can make sure that I am up to date with everything that you've said there.

Any plans for another book?

[Nick Shevelyov]
I am. I like to write about the topics that I find most interesting as they relate to my profession. And I'm working on another book that leverages insights on cognitive biases, behavioral economics as how we think about elements of risk for the next book.

[Uncle Marv]
All right. Well, I will look for that and maybe have you come on when that comes out. So thank you very much.

[Nick Shevelyov]
Look forward to that. Thank you, Marvin.

[Uncle Marv]
All right, folks, there you have it. Another episode of the IT Business Podcast in the books. And again, my guest, Nicholas Shevelyov.

Thank you very much for coming on and listening to this show. Be sure to stay tuned. Check out VCSO.AI. And of course, I said we have a link to the book Cyber War and Peace at all in the Amazon store. And I want to thank Nick for coming on and giving us a little bit of insight from somebody who was a chief information officer at a very big bank. So his knowledge means something that we should all pay attention to. That's going to do it folks for this episode.

Thank you very much. We'll be back with more at a later date. And until next time, holla.