Ilan Abadi joined Teva in May 2012 as Global CISO.
In this role, Ilan is responsible for defining the Teva Cyber security strategy, establishing the organization, and managing ongoing cyber activities including current and future security threats. Among his responsibilities, Ilan is managing Cyber incident response including Cyber technology for Operational Technology (SCADA) in a heavily regulated environment.
Ilan has 20 years of experience as CISO in Major Israeli and global companies. These include YES, an Israeli Satellite Services company, and the National Israeli Police, where among other responsibilities Ilan led Cybercrime investigations and served as a professional witness in court.
He is a member of several Cyber national teams and is currently completing a BA degree in Art History at Tel Aviv University.
The CISO’s role is a very high-pressure, high-stakes job. What is the right profile for this job?
In my experience, there is no one right profile for the CISO job. In general, I can say that today, more than ever, you need the ability to work with various technologies (cloud based, OT legacy systems etc.), handle multi-layer business needs, manage the relationship with the company’s board, and more.
Personally, what works for me includes several characteristics: I am passionate about science fiction, and the CISO role is the perfect place for me to be. In addition, my interest in art inspires me to be creative, another important trait.
Cyber security threats are evolving every minute, while technology is mostly lagging behind with no answers, or has limited solutions. The CISO must be a creative person and know how to mitigate risks with the current available technology.
How do you convey to the board the message that, with regards to cybersecurity, you can minimize the risk but you are never going to be 100 percent secure?
For me, the most dangerous situation is when the board has the false sense of security that “we are good”. The other side of this coin is “the sky is falling in”. The expectation from the CISO is to maintain the Cyber risk at the levels of “risk acceptances” as defined by the board and senior management. The understanding that we are not “bullet proof” and that it is only a matter of time until we have a Cyber event are most important. We can demonstrate it by showing statistics and presenting case studies that have actually happened.
Once you gain this understanding, you need to explain the main risks your organization is facing, and the maturity level you have in facing these risks. Next, you need to have a very clear plan of how to manage and reduce the exposer to the risk. The plan should be presented to the board and be easily trackable. Finally, the board needs to be familiar with your Incident Response policy and join a drill from an active position.
What advice do you have for security leaders?
In this question I would like to share my three cents:
a. Don’t be in “hubris mode” – the most terrible sin in the days of ancient Greece was to be in a situation of hubris. For us, after many years of experience, it is easy to be overconfident. We must have “compensation controls” where we think we are doing well or know all there is to know.
b. Technology doesn’t have a solution for everything! We wish that were the case but unfortunately the bad guys are always a step ahead of us, and have more funds. We must close the gaps with policies, clear guidelines, secure processes and awareness!
c. Talk with the business throughout all levels of the organization. Sometimes we don’t have a good understanding of why something goes wrong, despite of the fact that we have spent a lot money and effort. Speaking with a person in the production line can help us understand and realize how we can do Cyber Security better.
Security and IT professionals are bombarded with news about cybersecurity issues. How can they filter out the noise and determine what issues really matter to them?
Almost every day we hear or see in the media news about a cyber-security event. If your company has an active board, you will sometimes get emails with news about attacks, asking if you are aware and if we are exposed to this threat. We need all kinds of filters to help us define what is relevant to our business and what is less relevant.
To be able to track these attacks, you need a very good intelligence company (or several) that is familiar with your business and security mechanisms. You need to build a process in which one of your employees from the SIEM/SOC team will act as the “Intelligence Officer.” They should get all the data in a structured manner. This Intelligence Officer needs to be able to recognize whether this threat can impact your business and what steps need to be taken to minimize the exposure to this kind of attack.
How can CISOs balance security and innovation?
We have already talked about the first sin. For me, the second sin is to “fall in love” with complex, sophisticated Cyber-attacks and prepare for them while neglecting the basics. As I live and work in Israel, I am exposed to a huge number of innovative, cutting edge Cyber solutions. Using innovation is mandatory, but do innovate where it matters.
Define what your major gaps are, and try to find the innovative solution that can matter and help you minimize the exposure to the risk. That simple! Whenever you are able to mitigate the exposure by using current tools, policies and procedures etc., just do that!
How important is being able to communicate with your colleagues?
Cyber security can’t be done alone by the CISO himself. I could go further and say that very little can be done by the CISO himself. In dealing with a multi-layer threat and attacks, every layer of the company is exposed.
When you understand that, you realize that your future is in the hands of your colleagues! You need to harness your colleagues to play an active role in your Cyber security plan. Hold routine meetings of teams and colleagues, let them present Cyber projects and achievements and let them be part of your team.
A few closing words. My answers here come from my 20 years of experience – there are probably more and maybe even better answers to these questions, but I will leave you with two important takeaways: don’t go into “Hubris mode” and beware of falling in love with very highly sophisticated Cyber-attacks.