CISO of the Week – Oren Zenescu, CISO, Altshuler Shaham Group
I started my career in the field of information security as an officer in the IDF information security corp.
Then, I headed to the private sector as information security consultant for a variety of customers: financial, Hi-tech, Low tech etc, before becoming a team leader in the GRC field.
Since 2016 I have worked as the CISO of a large investment company called Altshuler Shaham. Our company specializes in managing customers’ long term savings and other investments, such as: pensions, portfolios, mutual funds, hedge funds, etc.
The company manages over 30 Billion dollars and is one of the biggest investment houses in Israel.
I am also a board member of the Israeli (ISC)^2 chapter.
As an officer, consultant, team leader and eventually a CISO I bring vast knowledge of information technology and cyber security methodologies, technologies, Risk management and no less importantly, information security awareness programs to different kinds of workers.
Why did the role of CISO appeal to you?
As a consultant I worked closely with CISOs from all over the industry (financial, Hi-tech, Low-tech etc), some of whom where more brilliant than others. Some were more interested in IT security and some were also aware that it is important to understand business plans and goals in order to be a business enabler while maintaining sufficient levels of security.
I always wanted to be on “the other side” of the table in order not only to give advice and consultancy, but also to decide upon the right decisions for the company.
This makes your job far more challenging, with much more responsibility, but also gives you satisfaction and the ability to improve the cyber security posture of your organization.
For security executives who don’t have a strong relationship with their board, how can this be improved?
I think that every board must conduct a serious discussion of the cybersecurity risks the company faces at least once a year and with every significant change to its operations, for example: migrating to the cloud or upon a serious cyber incident like one that involves leakage of customers’ private data or which effects one of the critical business processes. Those discussions are a great opportunity for the CISO to come forward and to speak in a “business” language (Risk management, ROI, etc…) directly to the board members, which in turn will start a process where the board members will want to be updated about the status of the cyber security plan and to talk about new risks. It’s also a great opportunity to explain and get support for the budget he needs in order to implement his plan. My advice to the CISO is to be careful not to exaggerate while he speaks with the board members but to explain the situation as it is and the implications of managing the risks (eliminate the risk, accept the risk etc…).
How can CISOs better understand a business’s needs?
CISOs must get out of their comfort zone (that is – IT security like Firewalls, IPS, Antivirus), and conduct continuous discussions with business leaders in their company.
Every existing or new business process must be assessed by the CISO in order to make sure that the risks are being handled and the right controls are being put in place.
Eventually, a CISO who is not involved in the business processes will not be relevant and his cyber security program will not cover all the risks that the company is facing.
Threats are everywhere and always changing. How to address this difficult reality?
Well, CISO’s are not alone. Unlike the companies that compete with each other in order to be more profitable and make money for their stake holders, CISOs are dealing with other goals – that is, making sure that their company is safe from cyber threats – existing or new ones.
In order to do that, CISOs unite in peer groups and continually discuss those threats and the best practices and countermeasures to deal with them. This is also an advantage because eventually the threats are the same for my company and for my company’s competitors so we can share our knowledge to be in a win-win situation.
How do you make sure you know what new projects are on the road map and that security is baked-in from the process side?
As a CISO my job in not only to define the cybersecurity policy and procedures but to make sure it’s being implemented all across the company.
While doing so, I constantly talk with business leaders and participate in business steering committees in order to keep up to date with what is coming next in order to be fully prepared.
How important is being able to communicate with your colleagues?
I think that communicating with colleagues is the key for success for every CISO. As I mentioned earlier, CISOs must get out of their comfort zone and communicate with business colleagues from other departments.
In that way the CISO could make sure that he is being involved in everything that’s going on in the company – from business changes to cyber security risks.
Also, the CISO could understand what the most critical activities are for the business and where to focus his best effort.
Today’s cyber threats and privacy regulations are much more significant and demanding than ever.
In order to face them, CISOs and security professionals must collaborate and share insights from their own experience so they can be prepared for anything to come.
Also, countries all over the world should do more in order to develop educational programs and train security professionals that could help in dealing with those threats.
In addition, managements and board members must understand that there is no such thing as “100% safe” in the cyber security field. It’s a never-ending process that must be properly budgeted in order to succeed in achieving its goals.