I spent 7 years in the Israeli Ministry of Defense – Mission to New York, as the Deputy Director of Security.
I also worked for a year at a cybersecurity consulting firm.
Currently, I am the CISO of Gett.
I have over 13 years of experience developing, implementing and monitoring strategic, comprehensive enterprise information security and risk management programs, leading strategic security planning working together with IT, operations, development teams, and users across the organization.
What is your overall approach to information security?
Information security should always support a wider objective. We don’t protect information for the sake of security. We protect information in order to support the business. The challenge is finding the balance between being a defender and an enabler.
How important is it to have the CEO thinking that security matters?
Information security operations should be supported by multiple factors – Executives, mid-level managers, employees, and resources. The CEO should understand the need for information security and help with the required resources. Our job as information security experts is to be the advocates for it.
In an information technology environment where personnel are taking on increasingly complex responsibilities, what do you think is the role of cybersecurity awareness training?
Cybersecurity awareness training is fundamental for any information security operation to be successful. It is all about people in the end, and people should be engaged and educated if we expect them to be responsible in playing their part.
Last year brought the largest Distributed Denial of Service (DDOS) attack via the Internet of Things (IoT) devices configured as a botnet. Do you think legislation should mandate device manufacturers to meet minimum cybersecurity requirements to avoid this kind of incidents?
I do expect the legislators to protect the interest of the public. I also expect the tech industry to be responsible and take the necessary actions to protect their customers. It should be a balance between rules and responsibility.
How can CISOs balance security and innovation?
I don’t think security and innovation are contrary. They are aligned and support each other. We should be innovative as CISOs, as we should always support and push the organizations we work for toward innovation. It is challenging to keep up with new technologies and new ways to protect them, but this is our job, and this is why it’s so great to do it.
How could we address the perception of cybersecurity holding back the business?
Changing peoples’ perception is a tough mission, but it’s possible. First, we should strive to understand the business needs and make sure that every decision we make is taking into account the bigger picture. Also, a solid awareness program should be implemented. Awareness is the most fundamental tool we can use in order to engage people with the mission of information security. And communication -it’s all about communication. We should always communicate the reason behind every decision we make, and when people are part of the process, they usually have the right perception about it.
Information security is not only about technology, but it is also about people. For me, being a successful CISO is about being on top of technology, finding the right balance between defending and enabling, but most of all it is about engaging people. As David Hume once said – “Reason is, and ought only to be the slave of the passions”. Don’t expect people to automatically follow the rules, or promote information security actions. Find a way to excite them about security, and the rest will be much easier.