Erez Dasa is an experienced Chief Information Security Officer (CISO) with a demonstrated history of working in the government sector.
Skilled in Secure SDLC, developing, implementing and monitoring strategic, comprehensive enterprise information security and risk management programs, Erez spent 6 years working for the Ministry of Health in Israel as Head of Information Security Team and as an Information Security Consultant in the finance industry.
He is currently the CISO of the Innovation division at the Israel Tax Authority.
Why did the role of CISO appeal to you?
Ever since I can remember I have always been intrigued by technology and computers and increasingly found myself dealing with security issues.
As a head of information security team over the past few years I was involved all through the day in “hands-on” operations.
Over time, I wanted to help the organization not only from the hands-on scope, but mainly from the side of information security policies, risk management and building good defense circles in order to maintain and ensure the safety of the organization.
A good CISO can lead to fewer information security events, resulting in fewer “firefighting tasks” by the hands-on teams.
How important is it to have the senior management thinking that security matters?
For an effective information security program and strategy, it is necessary to have ongoing support from senior management.
Information security can’t be driven up from the middle of an organization. A lack of commitment and support from senior management cascades down and results in little support from business owners and departments heads.
This support can be gained by aligning information security with business strategy and business goals.
Almost everybody agrees that organizations need a culture of security. How can security leaders help facilitate that type of culture?
Internal culture of the organization must be taken into account in developing a security strategy. Combining a security culture with the existing culture is necessary for achieving good information security responsibilities across the organization.
The actions needed to build a culture of security are training, education and awareness.
They are vital in the overall strategy because security is often weakest at the end-user level.
Employee awareness should start from the point of joining the organization and continue regularly.
Techniques for delivery need to vary to prevent them from becoming boring (simple quizzes, phishing campaigns, posters about information security, etc.).
We must remember that security is only as strong as the weakest link, and this is certainly true for information security.
What should a company do if they suspect cyber attackers have been successful?
“There are only two types of companies – those that have been hacked and those that will be”
As a CISO we always know that hackers never rest and always seek the opportunity to attack us.
That’s why every organization should prepare for the next attack and establish a well-trained incident response team (IRT).
When a company suspects that a cyber-attack has been successful, they should activate the IRT to start investigating this event.
The first step is to validate the incident – we don’t want to interrupt the business continuity, relying only on suspicions.
The next steps are:
- Assess and prioritize the incident to determine if there is a breach of protected information.
- Contain and minimize damage
- Restore affected services
- Determine the root cause
- Implement improvements to prevent recurrence
Throughout the incident, status should be reported regularly to management.
How can CISOs balance security and innovation?
The most secure and convenient way for information security managers is a PC that is not connected to the Internet, a developer that doesn’t develop with open source libraries and to disable any connection of external media (usb, cd, etc.).
Innovation is the “growth engine” of any organization and as information security managers we cannot stop organizational innovation under the pretext of information security risks.
A good CISO knows how to harness innovation for information security tasks, for example, to allow the use of open source libraries, but also use systems and controls that automatically scan vulnerabilities in these libraries, to perform automatically static analyses in any application build, and so on.
Innovation is not only beneficial to business activity. It is equally useful for data security. Data security systems are also advanced and provide us capabilities we previously would not have known, such as data loss prevention (DLP), anomaly detection etc.
Our goal is to enable innovation in the organization and to protect it with the help of innovative information security systems.
How can we address the perception of cybersecurity holding back the business?
Information security, unlike development departments, for example, does not provide tangible financial value to the organization. I think that here lies the great difficulty in changing the approach: information security is often perceived as a “pump of money” that relies on scenarios that do not always exist in the eyes of management.
This approach had slowly changed in recent years, with corporate executives witnessing more and more cyber-attacks on small and large companies and the fear that I am the next one becoming real.
In order to change the thinking that information security holds back the organization the CISO should work closely with the management, and be involved in any technology decision.
Thanks to good information security the organization can continue to work, earn money and serve the citizens every day anew. Information security does not hold back the progress of the organization – on the contrary, it allows the organization to continue to work continuously and efficiently.
Circles of protection through information security controls are very important, but we must always remember that the last circle of protection is our users.
If we manage to make information security more accessible to our users, we will have a much more secure organization.
In a world where Cyber-attacks are taking place at any moment, we, the chief information security officers (CISO), are here to help the organization to keep moving forward.