What we talked about
Steve Tcherchian, CEO of XYPRO, explains how XYPRO protects mission critical systems that move money, run payments, settle trades, and support national infrastructure on HPE NonStop. He shares that most customers do not complain about hackers first. They complain about complexity: too many tools, dashboards, audits, and reports that create work without reducing risk. Steve breaks down common misconceptions, including “compliance equals security" and "uptime equals security,” and argues security must be treated as a real business risk, not just a technical problem.
Show notes
When Steve Tcherchian asks a room of executives who owns incident response, who talks to the board, who talks to regulators, who is authorized to make decisions when an attack is in progress, the room typically goes quiet. That silence, he says, is the single most reliable warning sign that a company is not ready. Steve has spent 20-plus years in cybersecurity protecting HPE NonStop systems, the mission-critical infrastructure that runs payments, stock exchanges, and bank settlements, systems where downtime has immediate, measurable economic consequences.
What we covered
- Compliance and security are not the same thing. Compliance is a backward-looking activity: a list of things that have gone wrong in the past. It does not address modern threats. Steve’s framing: “We don’t want to get hit with a fine” is a liability strategy, not a security strategy, and the two should never be confused.
- AI did not invent new attack types, it made average attackers significantly better. Phishing messages that once gave themselves away through broken English or grammatical errors are now polished and natural. Reconnaissance is faster. Malware mutates more quickly. Steve’s advice: compare your current inbox to what phishing emails looked like 12 months ago, and the improvement is visible.
- Attackers know that most security cameras, metaphorically speaking, are pointed at production systems. So they enter through the less-watched development or backup systems, which are connected to production. Ransomware groups typically go after the backups first, disabling recovery capability, and then exfiltrate that backup data separately to sell on the dark web repeatedly, independent of whether the ransom is paid.
- The mean time to detection for a breach currently hovers around 200 days, more than six months. Marriott’s breach went undetected for over four years. Steve argues this reality shifts the goal from “prevent everything” to “detect and recover as fast as possible,” and that resilience needs to receive equal investment alongside prevention.
- Adding security friction to users is counterproductive. Complex password policies cause users to store credentials in a desktop file called password.txt. Steve noted this is one of the first files an attacker looks for after entering a system. The same dynamic applies to any security control that makes people’s jobs harder: they will route around it.
- His advice to aspiring security leaders: learn to speak in business terms. Security professionals who can explain risk in financial terms get budgets. Those who can explain it in board terms get authority. Being technically right is not enough, influence matters more than intelligence, and culture will outperform any documented security strategy if it is not backed by genuine buy-in from the top.
About Steve
Steve Tcherchian is the CEO of XYPRO, a cybersecurity company specializing in the protection, compliance, and resilience of HPE NonStop environments used by banks, payment processors, and stock exchanges. He is a patent holder and previously served as XYPRO’s Chief Product Officer and CISO before taking the CEO role.
- LinkedIn: https://www.linkedin.com/in/stevetc
- Website: https://www.xypro.com
Episode 129 of the PreVetted Podcast.