Alexander (Alex) Raif, is an experienced Cyber Security and Privacy Protection expert, with over 12 years of leadership and experience with a security/technology focused background.
Alex serves as Lead Security Architect and Deputy CISO for Maccabi Healthcare Services, the 2nd largest HMO in Israel.
Previously worked at Amdocs as a Senior Security Architect, specializing in Cloud Security and GDPR readiness.
What is your overall approach to information security?
People. Everything starts and ends with people, especially in the information security field. Companies can build secure infrastructure protected from external threats with firewalls and private networks, but that doesn’t mitigate the risk of threats, malicious or unintentional, from inside the organization.
Another aspect is innovation as a way of life – this how I practice Cyber Security. This ever-changing industry has to think on its feet as new threats emerge so that data can remain safe, and therefore a good professional must be innovative in its practice.
Where do you see the difference between cyber, IT security and information security?
There are 2 groups. One group that says there is no difference at all, and that it is just different names for the same thing, while another group says there is a big difference.
I am part of the second group.
When I talk about information security, I think about all the information we have to manage these days, some on premises and some on cloud. The massive use in computers for storing information makes them an attractive target for attacks, and therefore the main emphasis is placed on protecting this information through backups, encryption and survivability. Therefore, information security deals with the confidentiality of information – that the information be accessible to the authorized person only; the integrity of the information – the information shall be kept in good condition and without any change by an unauthorized party; and the availability of the information – that the information will be available as defined.
Cyber Security on the other hand is another area that of course has a direct connection to information security but is different. Cyber is a high-level topic covering hackers, exploits, viruses, industrial network attacks, system vulnerabilities and more. We must be protected against cyber threats using experienced personnel such as penetration testers, system professionals, as well as advanced protection technologies.
How do you communicate information security to the board?
As a key indicator that C-suites are investing more of their time and attention in information security risk mitigation, the modern-day security leader is becoming an established contributor to Executive Management and the Board of Directors’ meeting agendas. Unfortunately, security leaders still often struggle to establish a seat at the table in those meetings or fail to use that seat effectively by linking security strategy to business strategy. Before I present to senior management, I conduct a thorough process of creating an Information Security Plan that is inclusive, understandable and measurable, and I always come with exact numbers and examples, never with theories.
Another important aspect is having priorities. As a security leader you will have a lot of topics you want to promote, but never come to management with more than five if you want to be taken seriously. Always strive to develop intimate relationships with several management members. Define how you’re measuring effectiveness and be prepared for unexpected questions.
Creating cyber security culture
The CISO holds the ultimate responsibility for educating the workforce in information security areas. The CISO must pave the way and set the bar for workshops, awareness campaigns and measurement activities.
As for senior management engagement, the security executives need to adjust. In order to have collaboration the security executive has to know how to choose his battels, where to let go and where to step on it.
Know the difference between must have and nice to have.
Soft skills development can be initially uncomfortable for infosec pros; many like things to be black or white. Increasingly, however, information security is gray, and the security pros who understand the importance of soft skills and who develop and use them will succeed in their projects and careers.
Your business is only as strong as your weakest partner
That is a good point indeed, and this is one of the biggest challenges I have in the healthcare industry, which relies on many 3rd parties.
The key is managing the risk, the suppliers and partners. Build a robust supplier chain management program that includes incorporation of information security at all stages starting with procurement, where you assess the vendor\partner, and periodic security assessments.
Hospital and healthcare data protection
While many facilities are working toward achieving full compliance with HIPAA, HITRUST, and other privacy
regulations, there are a variety of factors to consider that go beyond compliance issues to address the overall risk to the facility. Protected Health Information (PHI) is a prime target. Online information needs 24/7 protection.
The biggest threat in healthcare today
With so many health and wellness programs and procedures becoming available on mobile devices, hospitals and clinical practices must be aware of the threat of security breaches and hacking of health data. Doctors, nurses, and hospital staff are using tablets and mobile devices, and so are patients and visitors. This means a potential for security breaches on both sides of patient care.
As a closing statement, corporates must start to see security as an enabling factor of the business. Security executives must be familiar with what they are protecting, engage with all departments and collaborate in order to achieve corporate success.
The CISO must remember that “No” should be said infrequently or not at all. Instead use positive and enabling words and find proper solutions.