Head of Cyber Defense and Information Security of the First International Bank of Israel (FIBI) since January 2013. Prior to his current position Shuky served as Head of Information Security for e-Gov at the Ministry of Finance and in a security advisor position for a government agency.
From 1985 to 2008 Shuky held several technology positions for global companies.
Shuky Peleg holds an M. Sc. Degree in Information Technology and several Information Security, Risk Management and Audit certifications.
Shuky is also a council member at ISACA Israel.
If I gave you an extra Dollar, how would you spend it on cybersecurity?
I believe that today, with the exponential growth in demand for cybersecurity skills and technologies and with the growing need for new digital capabilities, I would spend any extra money on cybersecurity automation. We cannot have enough skilled staff to maintain and operate our security technologies, the security operation centers and analysts are getting more and more alerts and they cannot keep up with the demand. The only way is to automate security processes as much as possible. Automate incident response, malware analysis, Security Operation Center, cyber intelligence, anomaly detection, forensics and other security and compliance monitoring.
How do you convey to the board the message that with regards to cyber security you can minimize the risk but you are never going to be 100 percent secure?
The concepts of risk management are familiar to the board from other domains and the cyber security risk is yet another risk that needs to be managed. The most important thing is to be very clear that even with all the controls, most residual cyber security risks cannot be completely nullified. The assumption that we should take is that eventually, some systems will be compromised and there will be a data breach, and the most important thing is to be able to detect the breach as early as possible and to continue to provide services to the customers, even with limited capability.
Some people call for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies. What are your thoughts on this?
We used to do security awareness campaigns with slogans and posters and motivation statements, but with the increase in the creativity and sophistication of cyber security attacks worldwide we came to the conclusion that awareness campaigns alone are not enough and it is important to increase the involvement and commitment of our employees in their cyber defense efforts. This is done by conducting security drills, exercises and simulations at all levels. There are frequent phishing campaigns that target all employees, there are social engineering exercises, there are technical drills for the security operations center and the security and operation staff and there are round-table simulations for management.
Cyber Defense education efforts should be on-going and address the needs of all levels, preferably using the same technologies and processes that they use on a daily basis.
Your business in only as strong as your weakest partner. Can you trust that your partners are keeping your data safe from attackers?
Many of the high-profile data breaches in the last few years started not with attacks on the targeted organization but with and attack on one of its suppliers in the supply-chain. We rely on services and products from vendors and suppliers if it is cloud services, software development, outsourcing of services and more. In addition, the trend today is to make financial data available to 3rd parties who provide unique services, many of them FinTech start-ups, making the issue of who can be trusted even more acute. We obviously cannot control the security of these companies the same way we control and manages our own, but we can definitely inspect incoming and outgoing data, increase the level of screening before we start working with a new supplier, monitor indications of compromise that are openly accessible and review cyber intelligence related to potential breaches. In short, trust but verify.
How can CISOs balance security and innovation?
The role of the security organization must change. CISOs need to understand that an important new role of security is to enable business innovation, and the way to do that is by embracing cyber security innovation. Cyber defense organizations should look ahead, and find innovative cyber solutions and technologies that will enable the near future needs of the business, the cyber defense people should run in front of the business to clear the path and make sure that innovative business solutions can be implemented and not stumble on security requirements. To make this possible you need to have security solutions already in place before the business innovation is implemented.
One of the ways we used to find the right innovative security technology was by launching the FIBI cyber security accelerator program where each year we select a few start-up companies that have an innovative security solution and we work with them to adapt their idea to meet our technology and security needs. This program is already in its 4th year and so far has created very interesting solutions that we use.
How important is information sharing among financial institutions to keep them abreast of new threats and cybersecurity best practices?
The answer here is short and simple. Cyber security Information sharing among financial institutions is extremely important. The sharing of information is more effective if it is done via a central entity such as the national CERT or the industry regulator. This helps us to create the bigger picture and understand if events that are reported to the center are isolated events or part of a larger campaign. The most important issue here is to have bi-directional communication in a way that financial institutions not only share their incidents but also receive timely updates from the CERT or the regulator on current incidents that were identified in the industry.
In today’s technology atmosphere, where digital banking and FinTech companies try to introduce cutting edge technologies to financial institutions, it is important that the organization’s cyber defense capabilities exceed today’s needs and meet tomorrow’s business innovation.
Cyber defense in financial institutions should be proactive, contiguous, and based on automation. This can be enhanced by embracing solutions from start-up companies and the use of cloud-based security services. That is the way we combine FinTech innovation with Cybersecurity innovation at FIBI to provide better and more secured services to our customers and employees.
Last, but by no means least, don’t neglect the basic traditional information security best practices that have been developed over the years, complementing them with innovative cyber security.