CISO of the Week, Nir Chervoni, VP of Information Security for Credorax Group
Nir Chervoni is a seasoned information security leader with extensive information technology, information security, and strategic security planning skills.
He is currently acting as Vice President of Information Security for Credorax Group – an amazing Fintech company, providing merchant acquiring services, cross-border payments, and banking services.
Nir brings vast knowledge and experience in the field of information security in large scale financial corporations and Fintech companies.
Nir started his career in the field of information technology with a couple of hands-on positions, through information security consultancy, and leading a team of information security architects in one of the biggest banks in Israel, providing security guidelines and directives to the bank and its subsidiaries around the world.
As a bonus – Nir is a musician in his spare time.
Why did the role of CISO appeal to you?
While I was an Information Security Consultant, working with a large number of organizations, I noticed that most of the CISOs were mainly focusing on how to increase security within the organization’s IT systems and networks, creating large work plans containing several security solutions. One thing that I think I had already identified back then, is the fact that most of their work plans and solutions weren’t aligned with the business strategy and the business and operational risks related to one’s organization.
At some point, it hit me that something was wrong with that approach, and I imagined how it would be when I became a CISO someday in the future, focusing on the key business and operational risks, trying to bring a business value, adding security layers as part of the company’s product.
When speaking the language of business to their boards, are there certain phrases CISOs should be using?
I think that in general, a CISO needs to adapt his language and phrasing when he speaks with various kinds of audiences. If we take the board as a key example, the CISO needs to talk the language of business risk, potential damage, the cost of risks reduction, and the level of residual risk after mitigating the most significant risks.
In the most common case, the board members aren’t technical, and even if they are, they are not really interested in having a lecture about the technical risks, or how sexy the security solutions the CISO is planning to implement are. That’s why the approach of talking “money” and “risks” is supposed to work with delivering your agenda as a CISO to the board.
What soft skills can help security executives collaborate better?
I think that the three most important soft skills which can help security executives collaborate better are positive attitude, good communication skills, and acting as a team player.
With regards to positive attitude, I think that when you’re a CISO, in lots of organizations, most of the employees and executives see you as someone who’s pretty harsh, doesn’t really understand the full business picture, and sometimes even looking like someone who’s managing the “department of “no””. Having a positive attitude, together with a business-enabler approach can significantly enhance the way the employees and executives can perceive you and your agenda as a CISO.
With regards to good communication skills, it’s pretty simple. Like salesmen, you should learn how to be a story-teller. As a story-teller who can deliver your agenda in a simple, clear and interesting way, you can gain a lot of cooperation from your colleagues and other stakeholders that you’re dealing with.
With regards to acting as a team player, as long as you act as someone who shares the same goals with the executives within the organization in a way that is aligned with the business objectives – they will cooperate with you.
Threats are everywhere and always changing. How to address this difficult reality?
A CISO needs to understand the business verticals of the company, the systems and components enabling those business verticals, and the business impact in case of a successful attack on one, partial, or various business processes.
The way the CISO should handle the prioritization of reducing the probability of those attacks, is with risk evaluation and management, risk methodologies and risk assessment tools. These methodologies should help the CISO to understand the risk level derived from the business impact, the probability of exploiting the systems or components supporting the relevant business vertical, the current controls in place which are already mitigating the practical risk, and some other variables like the scale of effect in case of attack, and ability to replicate an attack after having suffered a successful one, etc.
With proper risk management, the CISO can “move the parts” wisely within the company’s information security program in a way that it would be more cost-effective, and focus the key business risks, and not just something that intuitively looks as critical risk, but in an holistic view, actually only a medium one.
How do you predict the future of authentication in online banking?
I believe that the requirement for strong authentication will increase more and more with the evolution of new attack types in the future. As PSD2 already stated, in the near future (September 2019), the requirement for Strong Customer Authentication in online banking in Europe is going to be mandatory, an act which should increase security with all the banks which haven’t implemented it yet.
Still, as already occurred in the past, even with multi-factor authentication, a sophisticated attacks can still happen, as happened before with Eurograbber and Operation High-Roller back in 2012.
I believe that in the near future, we will see new authentication technologies based on key-splitting, authentication apps runtime protection within smartphones and various solutions which will be aligned to the active threats of the same time period.
How could we address the perception of cybersecurity holding back the business?
As I’ve mentioned previously within this interview, before I was a CISO I was imagining what kind of CISO I would be when I held this position, and two key items that I had in mind were being a business enabler and trying to provide security as a business value. Today I still believe that these two approaches are the key success factors for CISOs in general, and for me as a CISO specifically.
As a closing statement, I want to say that I have a dream. In my dream, all of the companies world-wide, and financial services companies specifically, will see the CISO as part of senior management and as a key business player, similarly as they are seeing the CFO, and the CTO today for instance. Of course this will require the counter party the CISO itself, being mature enough to understand that he didn’t engage with the company just to protect its systems and data, but also to play a key role within the company’s vision and strategy.