Cybersecurity Leaders – Yosi Shneck, Head of Cyber Entrepreneurship and Business Development @ Israel Electric Corporation
Yosi Shneck is in charge of Cyber entrepreneurship and business development, including R&D, cyber products and services development, support of the IEC’s cyber unit, marketing, and deployment worldwide. He has been leading the R&D projects and activities in the European research programs for more than ten years, including the FP7 and Horizon 2020 programs.
He has more than 45 years of experience in computer systems & technologies in utilities, including information systems, scientific applications, super computing & communication, control systems, infrastructures & architectures, and cyber. In addition to his duties as ITC leader, he was responsible for readying the company against the cyber-attack threats, including IT/OT environments. Being accountable for the cyber activity of supercritical infrastructure, Mr. Shneck is involved in many nationwide and international initiatives in this field.
His previous functions in the IEC include SVP Information and Communications and Chief Cyber Officer; Head of Information Systems and Communication Division, CIO; Member of the selection committee for an investor in the new communication infrastructure company; Head of the National Communications and Electronics unit and Deputy of the Information Systems and Teleprocessing Division; Head of R&D computer department.
Where do you see the difference between Information Security, IT security, and Cybersecurity and how it defines the Cyber Leader activity space?
There are differences between the terms, but let us start to discuss what is common. Yes, all of them are talking about security, but the main point is the connection between them, and I would even define it as a hierarchy.
From my point of view, Cybersecurity is the term describing the broad, inclusive field of all the different modern security domains. Information security is one of them, a security subdomain, that deals with IT systems and processes. The same for information security, another subdomain, that part of it belongs to IT security.
Still, other parts of this subdomain are dealing with additional information and data security challenges. To complete the picture, Cybersecurity is embracing additional subdomains like OT security, supply chain security, and maybe surprisingly, but physical security, in my opinion, is also part of the game.
The broad definition of Cybersecurity pretty much defines Cyber Leader accountability and his activity space. It practically sets the activity borders to any corner of the organization, any process, and functionality. Sometimes as a decision-maker, sometimes as an advisor, sometimes as a supporter, but always as a Leader.
When speaking the language of business to their boards, are there certain phrases Leaders/CISOs should be using?
Before touching the question about certain phrases, let me address a more problematic language point. Most of the Cyber Leaders I have met in my long service, didn’t talk to the Board, or other levels of management, in a business or audience-oriented language. Mostly they use technical and abbreviation saturated language. Yes, from their side, it sounds very professional, impressive. Still, from the audience side, it sounds like a foreign language, and more importantly, the main point and subjects are not explained or understood.
So, going back to the question, specific phrases are situational. Here is some of my phrasing advice when talking to the Board. Don’t use an emotional description of the risk or cyber events, use clear deterministic description as much as a possible. Connect your subjects to the Board’s points of interest and their language. Never say maybe, use don’t know, or your estimated probability of something happening or not. Describe the cyber challenges in the level of board responsibilities and their influence on them. Never say, “We are a hundred percent protected,” – it is never right. Use and describe not only your cyber protection maturity, but also explain the organization’s resilience and recovery maturity. And most importantly, talk “Boardish” and not “Cyberish.”
Almost everybody agrees that organizations need a culture of security. How can security leaders facilitate that type of culture?
The culture of security or culture of Cybersecurity is an integral and significant part of the security sturdiness of an organization. It joins the technical cyber part to complete the full integrated organizational cyber treatment. Security culture is dealing with the behavior of the employees at all levels of the organization. It plays a key role in Cybersecurity maturity.
Like any culture, the security culture is based on patterns of behavior, professionalism, and values. It is part of the organizational culture. As we all know, cultural change is one of the most difficult organizational changes. Besides, security is not usually interpreted by employees as a positive action. Security leaders should support and lead the change process of the security culture cycle. To set the baseline, to provide the improvement plan, and to facilitate it, to stimulate the top management support and involvement.
They should create employee trust and a positive attitude to the security, by full transparency of the cyber activities, explaining the benefits of their actions to the organization and the employee, explaining the threats and their mitigation. An additional chore the security leader must apply is making the security culture part of the daily life of the organization. Yes, the security leader job mainly targets leading the security culture of the organization; the rest is easier.
What are the biggest challenges you face in the year ahead?
To chose the top challenges in the field of Cybersecurity is almost a prophecy. It is so dynamic, squalling, changing, surprising, that a year seems like a long period. On the other hand, this is the reason why we, the cyber enthusiasts, so love it. The cyber threat and attack surface is growing exponentially. Increasing penetration of digital technology to all our life processes, automation, autonomous devices, endless connectivity, and globalization creates a fertile environment for cyber adversaries. So in such a unique environment, my three candidate challenges are just a tiny fraction of many additional ones that should be tackled.
The first one I call the foggy cyber view. We are handling a very sophisticated, complicated, and dynamic environment in any organization. In all of the cyber organizational situations, routine, cyber event, or recovery, the decision-makers, even at the highest level, don’t have a clear situational cyber picture. Even worse, they are unable to control the effectiveness of their decisions at a properly decent level. So the challenge as I see it is to build a near real-time updated “Cyber Battle Picture,” to base those crucial decisions on facts and not on intuition.
The second challenge is concern about the OT (operational technology) world. It is no longer just a challenge of the critical infrastructures and industrial sectors. It is becoming, and I expect the coming year even more intensively, the challenge of most of the modern world. Our environment (social, functional and cultural) is embedded with sophisticated, interconnected control systems and devices (IoT) – the heart of the OT world. The control systems are more and more based on commodity technologies, and exposed to many additional vulnerabilities that were not part of the legacy systems. There are still organizational barriers between the IT and the OT units and activities. We must remove them. I have claimed for a long time, “The target of the adversaries are the OT systems, the highway to reach them are the IT systems.”
The next one is the tight coupling of the cyber technologies with smart analytics and deep learning. It will be needed not only to overcome the vast mass of cyber events organizations are struggling with, but it will also be required to create a clear cyber battle picture. Additional domain joined the IT/OT playground, and I call it VT – Virtual Technology. It deals with social biasing, “Fake News,” network scams, and indirect cyber attacks. In my opinion, this domain will become most attractive for the adversaries, and only a high level of information analysis, enrichment of sources, and sophisticated intelligence methods will we be able to challenge the new candidate.
How do you make sure you know what new projects, processes, products, or services are on the road map and that security is baked in from the process side?
About six years ago, I started to talk about CBD – Cyber By Design. I know, today, it is a concept that is heard from all over. But six years ago, it was not so acceptable or understandable. The main point is that even today, in most organizations, it remained a concept. It didn’t mature to a model, plan, policy, procedures, and real actions to deploy the CBD idea.
We have developed a full-scale CBD model, and I will detail some of its main principles. The CBD starts in the first stage of any process, system, or activity – the design stage. This principle is based on the well-known one, “Considering different issues in early stages makes the system better.” Where should CBD be used? The model assumes everywhere, based on my perception that cyber is everywhere. Yes, we have developed measures to filter what activities should be included, but everything is checked against these measures. The organization must cultivate and implement a process modeling culture. It is a basis of real ability to analyze any process, test what-if dilemmas, and simulate the cyber consequences and steps needed starting at the design stage and controlling through the whole life-cycle. Last but not least, it must become part of the daily work procedures enforced by proper policy and procedures.
So that is the answer to the “How do you make sure.. ” question.
To summarize, this is my quote from six years ago. ‘”Cyber by Design” means “Resilient by Design.” On the other hand, I call the current behavior “Cyber by Luck,” which means “Defective by Design.”
How might we address the perception of Cybersecurity holding back the business?
Let’s be fair. This perception has some factual basis. Many cyber activities and precautions we put in place to protect our organizations are of some disturbing nature. They put a burden on different resources – including financial – and they are causing different inconveniences to various services. It is hard to analyze them using methods we are used to, like TCO or other models.
The only problem to maintain the “holding back the business” perception is, it doesn’t contribute or bring any solution or relief to the aforementioned hurdles. The fact is is that cyber is here, and it’s here to stay. To say it more explicitly, cyber is the “New Normal”!
The only attitude I am familiar with, and I suggest to my colleagues to adopt it, is to look on the bright side of the situation. Cyber brought many new advantages and opportunities. Where adequately deployed, it significantly improved different aspects, like the quality of IT/OT systems, different corporate procedures and policies; it brought catalyzation of creativity and innovation; it supports the entrance of new, advanced computer science technologies and additional benefits. When talking about opportunities, many organizations take advantage of their cyber experience and know-how, to diversify their core business portfolio, adding cyber products and services—in other words, making “Lemonade from Lemons.”
Cyber is one of the most disrupting issues of the modern world.
It is the “New Normal.” It sometimes brings security/cyber leaders to the edge, but in parallel, it creates new opportunities.
Security/cyber leaders should be carved from a mixture of leadership, smartness, creativity, and strong nerves. Above I pointed out the next cyber challenges.
The security/cyber leader has one leading challenge – to balance. To balance between cyber sturdiness and the ability of the business to fulfill its destiny.
Cybersecurity Leaders – Yosi Shneck, Head of Cyber Entrepreneurship and Business Development @ Israel Electric Corporation