CISO of the Week – Gil Zissu, Global CISO CyberArk
With more than 30 years of technology infrastructure, innovation and security expertise, Gil has served for the last 7 years as a global CISO and COO for global companies.
Gil has established and led enterprise information security programs and strategy.
He has spent two years planning and delivering the information and infrastructure security systems in Israel Post Office following five years planning and delivering Business-driven Security and IT solutions in the Pharmaceutical industry and following a 23 year military career working with the Best-of-Breed technologies and people in various operational capacities.
Gil’s latest challenge is the Next-Generation Postal Services for Israeli Government.
The key career achievements include:
- Developed the vision of Next-Generation Global infrastructure supporting Teva’s new Digital Identity and Innovative Digital Services.
- Working with Global Enterprise Customers – increase their level of satisfaction.
- Planned, staffed and managed Cyber Security excellence center protecting Core Business and operational functions.
What are the major concerns for CISOs today?
Reducing the attack surface – and limiting an attacker’s ability to move laterally within the network once they’re able to get in. With damaging attacks and breaches rocking headlines on a daily basis, reactive approaches or traditional security defenses promising to keep attackers out are not enough. Nearly all advanced attacks involve the exploitation of privileged credentials, which provide powerful access to organizations’ most sensitive data, applications and infrastructure. These privileged credentials must be protected as they’re the keys to the kingdom, and the security of an organization’s crown jewels depend on it.
What are your views on the scope of the CISO’s role?
The role of the CISO is not only to protect the company from Security breaches. This topic is the main step but not the only one. To be able to protect and mitigate the risks the CISO must be a business enabler, which means understanding business. Digital technologies, IOT and Big Data influence and enable business but also increase the security risks that could impact on the Business competition.
Focus on projects that reduce the most amount of risk and have the largest business impact with real supporting technologies.
The new approach demands new skills of the CISOs, shifting mostly from the reactive mode to the proactive mode. CISOs must be aware of the business needs and find the solution in order to be an enabler to those needs – how the security company’s program can help and serve their needs. He must have soft skills like collaboration, managing, communication, etc.
How do you convey to the board the message that with regards to cybersecurity, you can minimize the risk but you are never going to be 100 percent secure?
The role of the CISO is very complex. Every day he needs to contest very available and very professional hackers with advanced attack capabilities.
On the other hand, target range starts from the desire to harm the reputation of the company to the desire for diplomatic warfare between states and organizations.
Rapid progress produces a situation where the organization can’t be protected 100 percent.
There is no absolute protection capability, and the role of the information security manager, together with senior management, is to examine ways of minimizing and managing the 10% of the areas that are exposed to technological gaps, business complexity, processes and more.
If this concept is understood and accepted, the result is an understanding of the existing threats, managing the risks, creating contingencies, building a strategic plan approved by the BOARD, which minimizes the ability to strike, and moving from a reactive to a proactive one.
The organization’s senior management is a central part of this concept and is a full partner in the process of managing and minimizing risks – the information security plan is an important strategic asset.
How important is it to have the CEO thinking that security matters?
A CEO who understands information security is a power multiplier for the CISO.
The CEO’s ability is to understand the importance of the subject, to create a common language and to match the business need to the security risk.
This approach creates a situation in which the CEO is a full partner in the strategic plan, risk management and technological outline, enabling the CISO to be a partner in the organization’s business processes, and thereby creating the important cooperation between information security risks and business needs.
How can CISOs balance security and innovation?
The technological world is developing and very advanced (Digital World, connectivity and of course IOT).
These worlds bring new security risks that challenge the world of information security and make it much more complex, at the levels of exposure, maintenance and coping.
Information security should be an integral part of decision-making in all technology. Organizations must think about an end-to-end solution that includes the level of information security, the protection capability, the required mitigations and the ability to conduct an event in the event of new threats being opened.
The CISO has a very heavy responsibility. On the one hand, it must be part of the business and enable advanced capabilities that influence business activity, while at the same time, managing and dealing with new and advanced threats that increase the level of organizational exposure.
What advice do you have for security leaders?
Security leaders must be part of the organization, should understand the business needs, be able to build a security roadmap and to have the processes, technology and tools to understand the maturity level of the security in/outside the organization, including the cloud areas (security as a service).
Build a defiance center that provides 24/7 monitoring with hunting and proactive processes and intelligence feeds around it.
A Security Leader should involve his customer – he must be one of the people that influence the organization’s security culture. Everybody is responsible for security – that’s the right approach.
The role of the CISO is becoming more challenging, critical, influential and of ever greater value.
The CISO must shift to this new approach – be part of the business, build excellent intelligence and monitoring- to be able to be proactive and create an IR processes.
There is more pressure and responsibility.
The CISO will need to ensure business resilience at zero down time and manage the internal and external activities.
We must play our part, we must check and be enablers and understand how the organization works and what the business cases are.