How This Bank CISO Can Redeploy His Infrastructure in Minutes

We are living in a tough environment during full scale war. Nothing works better than speaking with your customer on their own language. Yefn brings over 16 years of leadership across diverse sectors, transforming security from a necessity into a strategic business enabler. If you can redeploy in a minute, what fall you will suffer? What fall will you fight? For example, if you just can. Ready Block. Welcome to the Connectivity Cloud Podcast. The podcast that provides expert insights into the cloud and IT landscape. I'm Marc Dembo and each month we'll explore key topics like scaling secure infrastructure, tackling emerging risks and staying ahead of the latest trends. Whether you're managing multi vendor environments or navigating cloud modernization, this is the show for you, delivering practical advice for today's decision makers. Welcome to the Connectivity Cloud Podcast, your trusted source for insights into the latest trends, strategies and technologies shaping cloud security and infrastructure. I'm your host, Marc Dembo and today we're joined by Yefen Ballyutov, the Chief Information Security Officer so CISO at Raif Eisenberg and the Academic Director of the Cybersecurity Bachelor's program at Kyiv School of Economics. Jeffen brings over 16 years of leadership across diverse sectors, transforming security from a necessity into a strategic business enabler. He has a track record of driving cultural and technological transformations that unlock business value. Today we'll dive into his value driven approach to security leadership, the challenges of operating in a dynamic global environment, the secure adoption of AI, and his mission to cultivate the next generation of cyber talent. Yafen, welcome to the Connectivity Cloud Podcast. Thank you. Hello. Nice to be here. Awesome. Let's dive right in. We have lots to discuss. You're championing the idea that security can be a business accelerator and even a profit center. If you had to describe your job to a complete stranger at a dinner party and you couldn't use the word ciso, compliance or risk, what would you say you actually work on? Are you a chief problem solver? A secret revenue enabler? What is your job? I would say good question. So speaking to the stranger, I would say, look guy, I have some business I need to solve. Regardless security, regardless marketing, regardless products bringing value like internal processes. So I am a CEO of the small business, bringing additional value to the customers through doing their life more secure. Something like that. That sounds pretty compelling. I think that was pretty good. I put you on the spot there. I promise you the next question is going to be a little bit more in your comfort zone. You mentioned security basically adding value, right? Or basically being a profit center. From my perspective, that requires buy in from everyone. Right. So what is the biggest hurdle you face when trying to go to departments like product or sales and they see security and most likely they see it as like a hurdle. Like they see you as a blocker. Right. But instead you want them to see you as a partner. How do you do that? Like how do you help them create value? Nothing works better than speaking with your customer on their own language. So if you're speaking with cfo, bring some figures on the table. If you're speaking with a risk officer, bring some risks and also calculate it with money. If you're speaking with IT peers, definitely you need to bring taxonomy. It understands well. So as well speaking without with transformation Office for example, or PMO office. Okay, you need somehow to show your P and L somehow show your backlog feature backlog somehow. You need to show how you will connect this feature to the customer and what will be your for example churn rate. So the secret or key here I would say is to speak on their language. This is first thing. And the second thing you need to be self confident enough that you could deliver this. Without that self confidence, everything will be the very big question from P and L to real value. So you need to calculate, you need to communicate and then you need to deliver. So being consistent on the way, being self confident on that and definitely bring the best people on board. This is the complex thing. So it's not an easy answer. Yeah, it sounds like quite the challenge. And it seems like you speak a lot of languages then, which is quite impressive. Right. Just perhaps going into the more security side of the house. Right. In a role like yours, readiness for something to go wrong is not a question of if but when. I guess. Right. How do you and your team train yourselves mentally and strategically to prepare for such a black swan event? Maybe like that one threat or disaster that seems not likely, but it's still happening. What do you and your team do to prepare and perhaps also actions that you guys implement? I would be happy to answer yoga and other mental practices, but it's not the case. Definitely we are going through lots, lots, lots of trainings to be on the same page. First to be, I would say actual with modern technologies. For example, we already have several incidents with AI part, so it's already here. Yet we usually train our staff continuously like across years, through the years. Usually at least 5 to 10 trainings per year for each and every employee inside security function. So this how it works because then we spread. First we educate internal resources and then we spread across organization so you can multiply it by number of awareness managers. I would say from security function, this is actually how it works in any enterprise. It should work, I hope for everybody being actual during these. I would say from technology perspective, tough times because we have more technologies than we can digest at the moment. It's quite a task. And for me the most important thing is how we communicate, how we remediate incidents. And definitely making technically impossible to hurt the company is the most important part of the whole exercise. So speaking about incident response, speaking about how we increasing our readiness, I'm speaking more about increasing technical capability to prevent incident than to react on the incident. This is how it works on scale for me. You mentioned that you're trying to make it impossible to technically hurt the company. Right. How does that look like in practice? Is it getting your defenses up or is it basically having tons of backups because no defense is perfect? Is it a combination of the two? I'm curious. It's definitely a combination, but the proportion you need to calculate from your side for each and every company, from each and every ecosystem and infrastructure. So for our perspective right now we are living in a tough environment during full scale war. And definitely we have more than like 4 and 5 backups in different environments. It's definitely multi cloud environment, multi data center environment. This is a huge hybrid environment. And this is the first part of the exercise. And the second part of the exercise is, is to how to redeploy your infrastructure by click in a minute. So if you cut all dependencies on legacy part, if you are able to deploy your environment by click, I would say it's not literally by click for sure, but for some particular endpoints it could be by click. But it means that in a minute you can redeploy. If you can redeploy in a minute, what four you will suffer. What four will you fight? For example, if you just can redeploy, this is I would say tactics, how you can solve average incident. For sure it could be different, very different with databases with different environments. But in general, from the one hand we have lots of backups because ransomware threats here. From the other hand we have operational model provides us possibility to redeploy our infrastructure on mints. That makes a lot of sense. I feel like you guys are very agile and well situated compared to other players in the industry. If you are at that level of sophistication, that sounds really great to me. One other point that I want to pick up on, what you said previously is saying okay. There's more technology out there than actually you can process and consume and put into the hands of, I guess, employees and your customers. Right. I guess one of these things or one of those things fueling this is actually AI. Right. So what are your thoughts on that? I feel like there's a big ask from business. Hey, we want to make our employees more productive. We want to maybe automate some processes and adopt new tools. And there's new players on the market popping up basically daily. What's your take here and how do you try to enable your employees and your customers to use AI? There, the cool question again. And I will divide the topic for the two parts. The first part I called security during using of AI. And the second part is AI security. Okay, so employees are more or less closer to the first part, security during using of AI. And that's the question of the culture. That's the question of technical limitations in place without any impact on the process of investigation and leveraging the technology. For example, guardrail. Why not? So if I could open for you every AI public model, why should I preventing you using that? If I could create some mechanism preventing you from sharing sensitive data to the public model? Sounds fair. Yeah, sounds absolutely fair. Is that possible today? I don't know. You know, Mark, I know it very well. Definitely with some, I would say level of risk appetite, with some level of risk policies in place, it's possible, I would say accuracy will be 75 to 85% yet is good enough to risk considering potential benefits from having it on board. Okay, so yet you can use it like through different technologies. Like you can use Microsoft Copilot, you can use AWS Bedrock, you can use technologies from Cloudflare, you can reuse public models through to additional layer, additional interface. Yet it will be the same technological device, the same concept. So anyway, you have to prevent data leak from your site closer to your customer because no vendor will solve it for you. You cannot delegate this part. Second part I called AI security. It's less about customers and more about business processes, more about pure technology. When you are having some AI on board again through our public models or internal models, for us particularly it's Ukrainian rephasing right now is not so actual to use own models because we need to, I would say burn money to make it real. But we are actively reusing capabilities of public models and again guardrail, and again corporate copilot, and again aws. So all the same players are in place. So we are trying to reuse to find our silver bullet for Some specific business cases we are trust in and we have some, we have very few yet. But I still see some capabilities on how we can adopt in the nearest time. And I see potentially interesting figures, but not so to be frank. So if you're asking me, I'm a fan of technologies in security specifically and in general, but I'm not very huge believer in AI as a separate technology will bring us some new super cool value we didn't have before. It's maybe some good add on to speed up some processes, but not so much. Okay, interesting, lots to learn here. So long story short, I will try to summarize. Right number one is for employees internally, right is like okay, if you have the right guardrails in place, you don't need to limit technology a lot, so to say. And people can adopt, so to say, make sure that you don't need customer data. And then the other part is AI and business processes. Hey yeah, they are first use cases and you can do this securely. But the real unlock is still to come. The value like has to be proven basically out there. I want to take a step back and shift gears because you're not just the CSO of a bank, you're also an academic director. So you're nurturing the next generation of cybersecurity professionals, I guess. Tell me more about that. When I went to university, I think these kind of programs did not even exist. So what does this look like? What can students expect? I'm curious. The same here. Me finishing my academy at 2011, I had some security there, but it was different security from what we have today. Today is more or less cyber security. Before it was more or less technical security part. Now it's transforming and for example, five years ago these cybersecurity programs, they were less major, like crawl level. Now it's trying to run from time to time. And we are not fighting, but we are competing with artificial intelligence program, with classical software development programs. So we are becoming bigger and bigger. What can you expect? Mix IT security, security governance, business continuity, IT risk management, development of security tools, security monitoring, zero trust and so on. From the very first year you can expect the typical program of computer science. Then we will define together with you your path or you're more manager, or you're more engineer. If you're more engineer, you will go and learn for example operation system security, like security hardening features or like how to build your own secure operating system. And if you're more manager, I will learn or I will teach you how to make security program for example, for any company, this is a different science, but we will combine somehow. So the final grade, fourth grade, you will be able to be I would say good junior security specialist at the market. So that's my target actually. Yep. And this is like my believe that we need to impact for the next generation. This is very cool today, like ciso, like security director, like Pentest specialist, like access manager specialist, security mentor specialist. I don't care. But I care in the next generation. I care in our possibility to share our knowledge through the years. And I don't believe we could do that being 60 years old. It's better to share actual knowledge right now, right here. That sounds so great. We talked a little bit before this recording already and you mentioned that you want to take the program where other programs might be a little bit like compliance driven in their approach. You want to go like engineering first culturally. Right. And I could tell that you really had a passion there. I would love to understand like why do you think it's so critical and what's the fundamental difference if you then enter the job market, if you go to you join a corporate security team. Why does that engineering first mindset is a passion of yours? I believe in that any person passionate enough and having willingness to create some value could create value by their own hands. Combining existing technology and their personal view and those persons usually in typical world we call engineers. And I don't believe that we as a manager, me as a manager in vacuum could create any value except any person being comfortable near me, speaking about any topic. So my most senior skill nowadays is to care about my people. My people, most of them are engineers, my people, most of them are people who are creating value. So seeing at scale how people are creating value, the only one way how to maximize that value and scale that value for me is to create new generation of engineers. So I don't see any opportunity for example for big companies like Cloudshare, for example, like Apple, for example Nvidia for example, and so on. Any tech company, any pharmaceutical company, any company, to create something new without engineers. So my approach when you're speaking about security, to inject security engineers inside typical security culture. So with that injection in some time we are becoming one piece. So that's crucial for the culture. This is how it works, this how security transformation works. Like partially digital transformation works when you're creating something as one piece, for example, when you're integrating your security inside of sdlc, for example. So this is why I see the most valuable thing is we need to prepare the whole new generation of engineers and engineers, engineers. We need those for rebuild Ukraine. We need those to support our industry right now, worldwide, especially at Ukraine. So this is my input, this is my belief, this is my bet. This is what I work with. Honestly, it's really inspiring to hear your passion here. One can tell that this is truly what you believe. And I feel like if people are on a mission and they go for it and you actually do it right, you have that impact. As the academic director, I feel like that is awesome to see. I really hope that more and more people do this program and you can really have the impact on the next generation of cybersecurity professionals out there and looking 15 years down the line, maybe the next generation of security directors or ciso, right? This leads me a little bit to, I think the last question that I have for today. The environment is constantly changing, right? And let's imagine I have just graduated from your program, or I've been a few years in a cybersecurity function. I'm a young professional basically there, and I want to go from that engineering, the heavy mindset and I need to go up management, right? And I wanted to take that path. I want to become a future director, ciso, whatever that looks like you already mentioned, the most important impact is having a focus on people. I would love to understand what are skills or changes in mindset and culture that you would advise those young professionals to take to do those steps in their careers and actually go from individual contributor or engineer to actually then having a bigger impact on the organization and becoming a force multiplier. Cool. And again, I will rephrase it a little bit. This is like kind of professional skill. Okay, two parts. First part is answer a question you didn't ask. Not everybody should be managers, that's the thing. Second thing, forget taxonomy. Nobody cares. To be frank, nobody cares. At some level it becomes absolutely unnecessary, useless and sorry to say, but sometimes even stupid. When you have chief manager of engineer of AI security monitoring, resort, Vision, Spotify Stars and so on. From the other hand, if you want to switch from individual contributor as an engineer, as a part of the team, to something bigger, when you forget taxonomy, start to think like a customer, start to think like your stakeholder and start to think like your shareholder. If you have those, definitely. And think which value could you bring to be overestimates and to be over expectations. So trying to think like out of the box, but not in classical description, but trying to be at the same time engineer, manager, customer requester, shareholder, and so on thinking like that you will understand that okay, you need not only just like create backend function and fancy front end for that and security for that and having business reason to having that, but you also need to have good customer experience with your feature. Okay, it means that you need to ask customer first. It means that you need to put some adjustments for example to be comply with some compliance rules and don't forget about risks and legal part as well and make it with metrics. So collect data and provide it to the customer and then ask about the feedback. So if you will work with any feature like with your product, regardless of your function, regardless you are working with mobile application for online banking or you're working for authentication tool for your company or anything like that, if you will treat your feature or product like full scale product, you will succeed with that approach. Maybe not today, maybe not tomorrow, but day after tomorrow. If you will treat your products like products, you will succeed. Super interesting. I much appreciate your direct answer here, especially the preface in the beginning. And I think yeah, the shift going from actually focusing on your task and instead of asking like hey, who am I doing this task for? What do they care about the stakeholders out there, the service that you're actually working on? That is a big shift. It takes a lot of training but it's so, so impactful. And I think that's true not only in cybersecurity, but in general to uplevel your career all around. Really solid advice. Yafen, thank you so much. This was super insightful. Time has flown by. I much, much appreciate you coming on. Thank you, thank you very much for having me for inviting. Thank you, thank you for tuning in to the Connectivity Cloud podcast. If you found today's episode valuable, be sure to subscribe so you won't miss future updates. Stay ahead of the curve, stay connected and stay secure. As always with cloudflare,