CISO of the Week – Israel Baron, CISO, Israel Railways
Israel served for 9 years at the Israeli Ministry of Defense (IMOD) as a technology Security Officer at the D.S.D.E (Directorate of Security of the Defense Establishment), as the regulator of the Israeli Defense Industries, and is currently the CISO (Chief Information Security Officer) of Israel Railways Ltd.
As the Israel Railways CISO, Israel established and managed the Cyber department and set the strategy and tools to defend its critical assets and systems, including the design and building of the company integrated Cyber Security Operation Center (SIEM/SOC).
How do you articulate the three-pronged approach of people, processes and technology?
I strongly believe that to get a high resilience the CISO must include the three-pronged approach of people, processes and technologies into the company work plan.
I do it with a very built-in approach that is based on Israel NCD (National Cyber Directorate), according to which a good mitigation plan must begin with a prioritization process that includes mapping and risk assessment for each asset in the company. Based on this process, the mitigation plan will include reference to People with training and awareness programs, nomination of Cyber Trustees and pre-employment processes; for the Processes it will include company cyber policies and procedures, cyber requirements in tenders, penetration tests and security assessments, response procedures, DRP (Disaster Recovery Plan) and supply chain regulations; and finally, for the Technology it will include the purchase and implementation of cyber defense systems, Cyber intelligence services and systems, SIEM/SOC and forensics capabilities.
How important is it to have the CEO thinking that security matters?
In order for the CISO to be successful in his mission and provide high resilience for the company it is vital that the company board and especially the CEO think that security is vital. This is due to the fact that to make the necessary changes in the company, including changes regarding people, processes and technologies, the CISO must receive strong support from the management, including both the support to take necessary actions to make the changes, and the financial backup to make them happen.
How can CISOs better understand a business’s needs?
A good CISO will always be involved, first and foremost, in his organizational processes and business model of the company in which he is employed. Furthermore, before being a CISO, one must understand that the company business is not security, and as such, the CISO must find a way to make things “happen”, which means finding the most secure way to enable the business need and not to stop it, in the name of security.
Threats are everywhere and always changing. How to address this difficult reality?
As cyber threats continue to evolve and increasingly threaten business and grow in volume and scale, companies (of any size) will be forced to take new action to address the cyber risk holistically, integrating it into their enterprise risk management.
There are several measures that can be taken, in order to try and minimize the risk:
- The Cyber risk must be managed as an enterprise risk, meaning that the company management and board will have to understand the holistic impact of cyber risk on the business.
- The adoption of Cyber Insurance Policies.
- Adopt or build security measures against cyber-attacks that originate from 3rd party suppliers, to minimize the risk of using 3rd party software, hardware components or IOT devices as a way in their inside networks and critical assets.
- Implementation of new methods of authentication, such as multi-factor authentication.
- The use of a proactive approach against insider threats, such as pre-screening services, employee security training and applying technical controls.
- Design and build CSOCs (Cyber Security Operation Centers) that integrate both IT & OT (Operational Technologies) environments.
When the business is steaming along and wants to introduce new products or services, how do you make sure that security is plugged in?
It is essential that the CISO and the cyber department are integrated from the beginning in the process of development of projects, products or services from the early characterization of the project.
This must be done, for example, in an integrated activity that includes raising awareness levels of project managers in the company, making use of “Cyber Trustees” among the employees and adding the need to obtain CISO approval for the purchase process to the company procurement process..
You’ve been in the industry for 16 years. What are some of the biggest changes you’ve seen not only in terms of threats, but also how cybersecurity is viewed in an organization?
After almost 16 years in the cyber security business I can honestly say there has been a fundamental change in the way that the cyber threat is now perceived.
Several years ago, IT managers (there were no CISO’s yet) only had to secure a small number of systems/computers, that were connected in basic ways to the internet, and the most significant cyber threat at the time was the penetration of a virus into the organization’s computer systems.
Today, with the increase in use of new technologies in the workplace, driven by the need for businesses to become more agile and adaptable, there has been a giant leap in the number of systems and technologies, and potential ways for criminals to gain access to company assets. As a result, the entire cyber battlefield has evolved and become far more complex.
Furthermore, after some major cyber hacks, such as the “Sony cyber breach, businesses have internalized the fact that cyber-attacks such as this can have a major impact on business performance and cyber threat is finally being managed as an enterprise risk.
From a cybersecurity perspective, what are the major differences between traditional railway infrastructures and the next generation of fully connected and digital trains?
Until recently, the operation of railway signaling systems had been considered to be performed using closed networks, and this was the base assumption for the safety of the signaling systems.
Recently, these systems have been getting more and more centralized and integrated, thus the assumption that the signaling system is operated within closed networks, is no longer sustainable.
At the same time, railway signaling systems have become more and more IT based, providing a functionality which is not only using dedicated computers and hardware, but also uses regular computers and COTS (Commercial off the shelf) components, which are more vulnerable to Cyber threats. In addition, we are seeing the increased use of networked control and automation systems that can be accessed remotely via public and private networks.
All these new technologies in the rail industry require new cyber security measures and efforts, in order to ensure the integrity and safety of the railway systems.
Although the CISO role is a technological role, I strongly believe that, first and foremost, the CISO role is about knowing how to “communicate” with everyone, from the production line employee to the BOD (Board of Directors). He must have the human skills to convince and harness them all, in order to work together in the face of the ever evolving cyber threats.