Eliahu Assif is eToro’s Head of Cyber Defense and Information Security. Previously he held the position of Chief Technology Officer at the Israeli National CERT as part of the Israeli National Cyber Directorate.
Eliahu is a Ph.D. student at Haifa University\Political Science researching “Why regulation fails in Cybersecurity”.
What is your overall approach to information security?
Cyber is a world of questions; Security is a world of answers. Hence, we need to learn the business and become business enablers, and always keep asking questions.
Our vision should be:
- To become a leading business-enabler that is consistently committed to supporting the company’s business efforts and activities, by effectively securing its daily operations, technologies, assets, premises, and employees.
Our mission statement should be:
- To continuously identify, remove (or hedge): Potential security risks, slits, weaknesses or exploits, that may block, interrupt or otherwise interfere with eToro’s expansion and business operations.
- To provide the company with creative and efficient TRADEOFFs between business demands and security requirements.
- To provide the company’s management with clear, well-defined, and timely visibility of potential risks that may NOT be reasonably hedged or removed.
Innovation is an important quality for a CISO. We must be business oriented team players, open to changes, as well as constantly expecting the unexpected.
For example, today at eToro we are building Cyber Defense Alliance with other companies,which are also business competitors, since we all share the same threats.
This is how the CISO could lead and become efficient for the organization.
For security executives who don’t have a strong relationship with their board, how can they improve it?
Cybersecurity is not security operational – if we address the board with an operational perspective, we won’t bring anything to the table that the CIO or VP of R&D could not.
To earn a seat at the table, you need to carry out three tasks:
- You need to learn how to simplify things and not lose the audience’s attention – Simplicity is not simple!
- Describe how you support the organization’s spear strategy, raise the questions and difficulties, suggest a solution and never complicate things with buzzwords. Your board members are hard working and busy managers, and need to be treated in a concise and incisive manner.
- Emphasize the money saved, rated by preventing and containing incidents so as to minimize time and money lost.
Some people call for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies. What are your thoughts on this?
One the one hand, when we look at a star athlete, we see an outstanding person who is constantly progressing thanks to training – as training leads to perfection. On the other hand, we risk creating the “boy who cried wolf” syndrome and impacting readiness.
Drilling too frequently could bring the opposite outcome as your employees may think that a real incident is also a drill – and not treat it with the required attention.
However, we need to build a work plan at the strategic level, divide the employees into multiple categories, support the tasks in the security forum and target each of the categories at a different time, based on the exposure level.
Then we start thinking outside of the box when planning that drill; and then we start thinking like the attackers.
What are the biggest challenges you face in the year ahead?
There is no one solution to cybersecurity, at least not one that is expected from companies or even countries.
Cyberwarfare has become a “legitimate” tool for nations to use against their rivals. The hackers that support this task (APT10, 28, 31, etc…) could easily shift the tools to the private sector based, of course, on monetary incentives. These hackers are very professional, and they use state-sponsored tools.
We are facing an asymmetric position in which attackers have the advantage: military grade technology, highly skilled people and a process of attack that actually could bypass any industry-based solution.
No company is able to protect itself against that scale of the attack, nor wait for the state to assist them in time.
The biggest challenge I am expecting for 2019 is engaging state sponsored threats without collaboration and effective mutual information sharing within the sector.
We must become proactive (for example, the C.D.A.), as that will enable us to protect ourselves against system threats that required immediate takedown as well as against emerging threats that will require state-sponsored help to manage.
On the day-to-day basis, my concerns are autonomic weaponized malware, such as ransomware and wipers. We’ve seen many incidents that ended with the attackers corrupting entire networks by wiping or encrypting files and databases. In some cases, the damages were reported to be in the hundreds or millions of dollars, in addition to the fact that the affected companies were not able to operate for days or even weeks. Another type of malware, which could be more relevant to the cryptocurrency world, locates and steals the companies’ cryptocurrency holdings. In most cases the theft is irreversible.
The company I work for invests in cybersecurity and defense to protect the flow and custody of cryptocurrencies, more than it invests in development.
How can CISOs balance security and innovation?
The Fourth Industrial Revolution:
“We stand on the brink of a technological revolution that will fundamentally alter the way we live, work, and relate to one another. In its scale, scope, and complexity, the transformation will be unlike anything humankind has experienced before. We do not yet know just how it will unfold, but one thing is clear: the response to it must be integrated and comprehensive, involving all stakeholders of the global polity, from the public and private sectors to academia and civil society.”
It is our responsibility as CISOs to become part of it, to continuously measure the exposure surfaces, to understand the emerging risks and to hedge them so as to allow to business to continue to grow. This is what “Business Enablers” means.
However, we also need to steer the management towards corporate responsibility – “How can we as a corporation contribute back to society?”
At eToro we have multiple programs that allow us to contribute to people with special needs, and train them along the process. We have just initiated a new program with the Ministry of Economy, as well as multiple consulting companies, to provide training and experience for this group.
It is our responsibility to build up this program to the board, gaining their attention (earning their trust as a leader), budget, and approval.
How important is being able to communicate with your colleagues?
“It takes a network to defeat a network”. We know that our enemies operate together, learn from each other and share their knowledge and tools. We must do the same.
As the CTO of the Israeli national CERT, I had the opportunity to be part of a great team that built Cybertnet – the leading platform for cyber collaboration & mutual information sharing.
Today I am part of the foundation for CDA-Crypto Defense Alliance.
To become effective in engaging the threat, we need to cooperate together and become pro active.
Conclusion and key takeaways
- Embrace four values
1.1. Professionalism – Always provide the most efficient answer or ask for time to achieve it.
1.2. Be humble – always consider that other peoples’ ideas are at least as good as yours, let others be part of the greater good.
1.3. Be a leader – leaders will be those who empower others (Leadership has nothing to do with seniority or one’s position in the hierarchy of a company).
1.4. Collaborate- You will become collaborative only if you are able to achieve the first three values. But you will gain much, much more.
- Invest in human capital – We do not know what the next challenge will be in 10 years from now, this is why we invest in children. The same goes here.
- Accept failure – Anticipate as much as possible, be as robust and as resilient (the ability to return from an incident) as as possible and proactive with all departments (Media, RnD, MGMT etc..).
- Corporate citizenship – This is our social responsibility. Start with initiative, lead your board of directors, collaborate with global initiatives (for example W.E.F).