QOTD - Jay Clayton on SEC's Mission

Technology has become commonplace in our lives, including in our financial transactions, and cybersecurity should be a major concern for all Americans...
It is critical that we regularly assess the cybersecurity landscape and adapt accordingly as we strive to fulfill our mission.
-- SEC Chairman Jay Clayton

Src: https://www.sec.gov/news/press-release/2017-126

Podcast Notes - Six Point List for Dealing with Today's Cyber Attacks

I was recently on a podcast (to be released in the next couple of weeks) discussing current events, especially recent reports related to Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. Towards the end of the podcast, I was asked for some closing thoughts, which I organized into a six-point list:

  1. Attacks are happening. Accept this as fact!
  2. Look internally at your People, Processes, and Technology (PPT), and assess how resilient your PPTs are against the types of attacks that are happening.
  3. Start taking steps -- or more likely, improve your current steps -- to prevent, but also to detect and respond (as prevention will only get you so far).
  4. Patch, patch, patch.
  5. Test, test, test.
  6. Finally, because it's only a matter of time, the last item is: drill baby, drill.

Cyber Lessons from the 2017 Harvey Nash / KMPG CIO Survey Report

In May this year, Harvey Nash and KPMG released their 2017 CIO Survey report. The report looks at some of the key issues on CIOs’ radar, including how CIOs are handling changing times, the need for stable IT, the strategic influence of CIOs, issues leading to costly and failed IT projects, job satisfaction, and of course, the issue of cybersecurity.

We’ll cover the highlights of the report, and take a deeper dive on how the issue of cybersecurity which features prominently in the report, and share lessons on how CIOs can improve their organization’s posture.

Top (and Bottom) Priorities for CIOs

The top four priorities listed for CIOs are
  1. The need to deliver stable IT service to the business (63%, up 21% from 2016)
  2. Increasing operational efficiencies (62%, up 7% from 2016)
  3. Improving business processes (59%, up 3% from 2016)
  4. Saving costs (54%, up 8% from 2016)
In contrast, the bottom three priorities are:
  1. Reputation management via social media (5%).
  2. Achieving sustainable/green IT (6%).
  3. Investing in social media platforms (7%).

CIO Good News

Among the list of positive news for CIOs was their self-reported increase in their strategic influence: when asked if their influence was growing, 71% of CIOs responded yes, up from 67% in 2016. Not surprisingly, 62% of CIOs now sit on the executive board, up from 57% in 2016, a number that was below the 50% mark for the decade ending in 2010. This increased visibility is also confirmed with 68% of CIOs reporting having attended a board meeting in the last quarter, a figure that goes up to 85% when considered over a 12-month window. However this picture is skewed towards the smaller organizations, where it appears that CIOs have an easier time getting access to the board (72%, versus 65% for mid-size, and only 45% for large organizations). Similarly, CIOs at smaller organizations are more likely to report directly to the CEO at 45%, versus 27% for mid-size, and 17% for large organizations.

Where a CIO sits in the organizational chart makes a difference in their perception of job satisfaction: 44% of CIOs on the executive committee reported their roles as very fulfilling, compared to 42% of CIOs reporting to CEOs, and only 38% of CIOs reporting to CFOs. On the salary front, CIOs reporting to the CEO or the board reported larger salary increases (36% for CIOs under CEOs, and 35% for CIOs on executive committee) than those under the CFO (32%).

Managing Change

Managing change comes with the territory for CIOs. When asked about how they had adapted their technology plans to deal with uncertainty, CIOs reported creating a more nimble technology platform (52%), finding a way to work with restricted budgets (49% average, but more pronounced in small organizations at 51%), and investing more in cybersecurity (45% average, but much more pronounced in mid-size and large organizations at 55% and 53% respectively) as their top three.

The Cybersecurity Issue

While cybersecurity figures in 3rd place in the aggregate picture, it is the #2 issue for both mid-size and large organizations, just behind the need for nimble IT. For mid-size organizations, nimble IT ranks in the top spot at 56% while security is just below at 55%, with a similarly close picture for large organizations with 54% for nimble IT and 53% for security. Not surprisingly, cybersecurity was a regular topic in the top five categories of topics discussed when CIOs interacted with boards, along with IT strategy, IT investments, and digital transformation.

The report introduces the cybersecurity issue thusly: “Everyone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.”
Top concerns for CIOs include organized cybercrime (71%), amateur criminals (52%), insider threats (48%), but also spammers (39%), foreign powers (28%), and competitors (19%). More worrisome, when CIOs were asked about if they were “well prepared” for detecting and responding to cyber-attacks, only 21% responded yes in 2017, compared to 22% in 2016, 23% in 2015, and 29% in 2014.

As can be expected, large organizations are more likely to report having suffered a major attack in the past two years (53%) compared to mid-size (41%) or small organizations (30%). However, the lower numbers for the smaller organizations may also be a reflection of their less mature detection and investigative capabilities.

Many CIOs are left wondering if their organizations are truly secure, or whether a false sense of security has been allowed to take hold, with potentially disastrous consequences. Bob Kalka, Vice President IBM Security Business Unit, wrote a three part series on Questions Every CIO Should Ask the Cybersecurity Leader: part 1, part 2, and part 3.

Much More in the Report

The report also points to an increasing trend where a larger share of the IT budget is controlled or managed outside of IT, 40% in 2017, up from 38% in 2016, and 34% in 2015. This trend puts increased pressure on CIOs’ ability to effectively manage the relationship with the rest of the C-suite and the board to exert influence on how that share of the budget is being spent.


Overall, the 56-page report provides a snapshot of where a CIO sits compared to their peers, as well as highlights important trends to be aware of and key areas they should be focusing on.

This post was brought to you by IBM Global Technology Services. For more content like this, visit ITBizAdvisor.com

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 2: The Land of the Cyber Startups

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is the second of three articles that I wrote following that experience;  the first article, explored the question of  “Why Israel?

[T]he prominence of Israel in the technological field and in the cyber field have made Israeli companies very, very attractive. So because we have a lot of speed chess players, because we have hundreds of startups, because we have demonstrable success in providing solutions in this rapidly changing sphere, Israel has become an attractive target for cyber security investment, and I think if I tally it roughly as we can see, in 2016 we have about 20% of the global private cyber security investment around the world.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

In a previous article, we explored some of the factors that have contributed to positioning Israel as a potential leader in the cybersecurity innovation domain. However, potential isn’t always realized, but in the case of Israel, there is strong evidence that the formula for leveraging their special mix of circumstances into cyber startups and investments is working.

Growing Alliances

One cannot hear the Prime Minister and deny that Israel is a country deliberately focused on cyber. There is a palpable deliberate effort by government sector, financial sector, industry sector, and academia to come together and collaborate. This effort is having an impact on the way the rest of the world sees Israel, as evidenced by Indian Prime Minister, Narendra Modi, who visited Israel in early July, the first visit by an Indian PM. In part thanks to its cybersecurity expertise, Israel is being courted by many countries according to its PM.

At CyberWeek, representatives from the US government were also in attendance, marking a new level of collaboration. Thomas Bossert, Assistant to the President for Homeland Security and Counterterrorism announced the creation of a bilateral cyber working group to “stop adversaries before they can get into our networks and hold bad actors accountable.” According to Reuters, the working group will focus “range of cyber issues — critical infrastructure, advanced R&D, international cooperation, and workforce.” Bossert went on to explain one of the reason for working together: "[t]he agility Israel has in developing solutions will innovate cyber defenses that we can test here and bring back to America.”

From Alliances to Startups and Vice Versa

The two high profile announcements about collaboration will likely be a boom for Israel’s continued ability to produce hundreds of cybersecurity startups. How many startups are we talking about exactly? Reuters quoted a figure of 400, while other sources put that figure closer to about 350 startups. Regardless of the exact number — as by their very nature startups come and go, sometimes in a matter of weeks or months — Israel is at the forefront of the global race to innovate in the cybersecurity space. Several (former) cybersecurity startups have now reached global name recognition; here are just a few, whose name you might recognize: IAI, Check Point, Verint, CyberArk, ECI, ByNET, CyberX, BGProtect, Clearsky, Safebreach.

The vibrant amount of activity in Israel hasn’t gone unnoticed by the global investment community and the US. A recently introduced piece of legislation, Senate bill S.719, entitled “United States-Israel Cybersecurity Cooperation Enhancement Act of 2017” introduced in March 2017 might help the US adapt Israel’s recipe for success to further energize US activity in this key sector. The bill “requires the Department of Homeland Security (DHS) to establish a grant program to support cybersecurity research and development, and the demonstration and commercialization of cybersecurity technology.” Grant eligibility requires that “a project must be a joint venture between: (1) for-profit, nonprofit, or academic entities (including U.S. national laboratories) in the United States and Israel; or (2) the governments of the United States and Israel.”

Most companies in the cybersecurity domain are enjoying great levels of attention and success. For example, Israel Aerospace Industries Ltd. (IAI), which is the country’s largest aerospace and defense company (and government-owned), recently announced that it ended 2016 with over $100 million worth of contracts in “cyber-intelligence, cyber-forensics and analysis, and cyberdefense centers.” Its President and CEO, Joseph Weiss, recently said: “[w]e consider cyber to be a strategic field of activity and a growth engine at IAI, and expect it to continue to expand significantly in the coming years” adding that “[w]e will continue to invest in cyber companies and research and development centers in order to continue to expand in this field.”

Fuel for Startups

While the Middle East is known for its fuel reserves, startups require a different kind of fuel — financial fuel. From a global cybersecurity investment perspective, PM Netanyahu during his CyberWeek address mentioned that Israel had garnered double-digits worth of private cyber security investment from around the world in 2016. Added to the generous incentives provided by the government, such as a 4% tax rate for cybersecurity startups (compared to 25% tax rate for regular businesses), as well as seed money that need only be repaid if the startup is successful, the environment is highly conducive to having academics and former military elites join with business leaders in rapidly creating startups.

Globally, investors have proven eager to invest billions of dollars into this domain. From 2012-2016, VCs reportedly invested $12.5 billion worth of seed money (in over 1,200 startups), from $1.32 billion in 2012 to $3.67 billion in 2015 (global figures). From an Israeli perspective, the country saw the creation of 65 new startups in 2016 — putting the total number of companies active in cybersecurity at 365 — and “maintained its leading position as a global center of cybersecurity innovation” according to a data by the nonprofit Start-Up Nation Central. The amount of investment flowing to Israeli startups was second only to the US, but managed to grab 15% of the global venture capital flows. The amount of capital raised by cybersecurity startups in 2016 was reported to be $581 million, up 9% from 2015.

The figures below, about the number of active Israeli cybersecurity companies and the exit deals, are produced by Start-Up Nation Finder™, a free online platform providing data and opportunities for collaboration with Israeli high-tech companies and start-ups. The tool was also used to analyze the data as part of a report by Start-up Nation Central on Israel's Cybersecurity Industry in 2016 (SNC report).


Figure 1 — Active Cybersecurity Companies in Israel (src: SNC report, used with permission)


Figure 2 — Exit Deals for Israeli Startups, 2014-2016 (src: SNC report, used with permission)

Human Capital and Academic Expertise

Although financial incentives and easy access to seed money makes for a frantic level of startup activity, it is the ability for these budding companies to tap into a well trained workforce and expertise from academia that helps buds turn into full-bloom flowers. We’ll focus on academia next, since our first article in the series already covered many aspects of Israel’s workforce.

While many countries have reasonably close ties between academia, few countries display the level of collaboration, cooperation, and freedom of movement between industry, the military, and academia as Israel. The country’s leading academic institutions, such as Tel Aviv University (TAU) and Ben-Gurion University of the Negev (BGU) are not only home to cybersecurity research centers, but figure also prominently at the center of a hive of activity around startups, applied research, and technology transfer.

One such center of activity, Beersheba (also spelled “Beer Sheva”), is located 70 miles South of Tel Aviv. Beersheba has been called the Silicon Valley of Israel, and being home to BGU, it also showcases this tight collaboration between VCs, academia, and the military as the Israeli Defense Forces move a large portion of their activities to Beersheba. A key center in Beersheba is CyberSpark, an Israeli Cyber Innovation Arena. CyberSpark describes itself as “a joint venture of the Israeli National Cyber Bureau in the Prime Minister’s Office, Beer Sheva Municipality, Ben Gurion University of the Negev and leading companies in the cybersecurity industry.” Beersheba is now home to R&D centers for many global technology firms including EMC/RSA and Lockheed-Martin (LM), and the close proximity to BGU further fuels exchanges between students, industry, and academia, as exemplified by its close work with Deutsche Telecom.

Closing Thoughts

A fellow journalist described Israel’s approach to nurturing cybersecurity startups as “a potent mix of tight government oversight and large-scale public investment in education, talent identification and development and R&D.” Other countries seem to agree, and so do international investors.

Reflecting upon my first visit to Israel just last week, I have found the country to be both an innovator and an incubator. Israeli companies seem to be able to move fast, innovate, and when things don’t go well, learn their lessons and adapt. With a strong ability to leverage expertise found in academic and military sectors, combined with a strategic directive from the government to invest in cyber — both as a matter of self-defense as well as to tap into this new burgeoning market — Israel has quickly risen to be a key player in the global cybersecurity market, and is likely to continue its leading role for decades to come.

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 1: Why Israel?

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is one of three that I wrote following that experience.

A few years ago I decided to establish Israel as one of the five leading cyber powers in the world and I think by all accounts, we're there. But, the jury in cyber security is always out. And it's a constant challenge.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

How does a small country — with about the same population count as Switzerland — position itself to compete in the fast-pace cybersecurity global marketplace? In this article, we’ll explore the factors that have enabled Israel to position itself as a key future player in cybersecurity. In a follow-up article, we’ll look at how Israel has leveraged that potential into action, creating a marketplace for venture capital and innovation, resulting in hundreds of security startups.

Demographics

What is immediately noticeable when arriving in Israel is the number of young people around you. Unlike many of the largest countries and economies, Israel has a young, vibrant population, with over 43% of people aged 24 or under (CIA World Factbook). The median age is 29.7, compared to 37.9 for the US, 42 for Canada, and 42.7 for the entire European Union.

Population Chart for Israel, 2016 (src: CIA World Factbook)

Having a young population not only gives it a current and future stable workforce supply, it also means that a larger percentage of the population is going to be tech-savvy, having grown up in a world in which the Internet always existed, and being very comfortable with using and understanding technology, and the Web of Trust (WoT) that binds us all.

However, by itself, having a young population doesn’t mean that a country is poised to be a global player on the cybersecurity stage. So next, we’ll explore the role the government has played in shaping this nation to be a key player in cybersecurity.

Cyber — A Government Focus & Priority

While a growing number of governments around the world are proclaiming their desire to boost their cybersecurity workforce, nowhere is it more evident than in Israel. Attend any cybersecurity conference in Israel and you’ll inevitably run into dozens of key government leaders, from multiple sectors including the economy, import/export, the military, but also education and academia. Don’t be surprised if the head of the country pops in to make a short speech about the importance of the cyber domain to Israel’s future, as Prime Minister Netanyahu did on June 26th at the start of the CyberWeek conference at Tel Aviv University:

Cyber security is serious business. It's serious business for two reasons: the first reason is that it's a serious and growing threat. And it's a growing threat everywhere because everything, every single thing is being digitized. And the distinction between hi-tech and low-tech is rapidly disappearing. And as that happens in one country after another, in one industry after another, in one critical infrastructure after another, and as we enter the world of the internet of things the need for cyber security is growing exponentially.
[...]
Our decision in this case was to create a national cyber defense authority and we are organizing them around the cyber net so that everybody has secure information between the government and the various organizations and the business organizations. We can communicate in a secure way and the parties inside the net can communicate with each other. Not only to respond to attacks but to prevent them, to prevent them by early warning, to prevent them also by guidance, by teaching a systemic doctrine to the extent that you can be systemic in this business.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

A Military Affair

The government’s role in leading the effort to position Israel as a leader in this space is undeniable. However, growing a cybersecurity workforce comes much easier to Israel than to the rest of the world, due to Israel’s need to protect itself from what they call “not so friendly neighbors.”

In many developed countries, the workforce supply in the cybersecurity domain is stretched thin, often with minimal or negative unemployment rates in the field, leading to many companies poaching the best security folks from their competitors, and leaving the government sector with a near-empty pool of applicants as government salaries are much lower, often on the order of 20%, 30%, even 40% lower, and the barriers to entry much higher (i.e. advanced degrees, clean record, drug tests, etc). A 2016 Indeed article compared the salary, adjusted for cost of living differences, of an information security specialist with three years of experience in Minneapolis ($127,757) with that of someone in Arlington VA ($74,254). The numbers speak for themselves.

In Israel the cyber workforce situation is much different; the Israel Defense Forces (IDF) provide the country with a fresh, auto-renewing supply of talented youths that have often signed up for extra tours of duty in some of the elite units of the IDF (e.g. the famous unit 8200, where many of today’s cybersecurity entrepreneurs once served). According to Wikipedia, the number of people reaching military age annually (estimates for 2016) is 60,000 males and another 60,000 females. While that number is by no means large, the experience instills in the conscripts many key values that lasts for decades after they’ve left their defense units and integrated the workplace.

One of the most privileged spots in the IDF is unit 8200 which is often referred to as Israel’s equivalent to the NSA. Unit 8200 is an intelligence unit, responsible for collecting signal intelligence (SIGINT) and code decryption. Unit 8200 is just one of several sought after units in the Israeli Intelligence Corps, which is “responsible for collecting, disseminating, and publishing intelligence information for the General Staff and the political branch” and also to engage “in counter-intelligence and information security work, and presents general assessments.” Several alumni of unit 8200 “have gone on to found leading Israeli IT companies, among them CheckPoint, Imperva, Incapsula, CloudEndure, Cybereason, ICQ, LightCyber, NSO Group, Palo Alto Networks, indeni, NICE, AudioCodes, Gilat, Leadspace, EZchip, Onavo, Singular and CyberArk.”

However, unit 8200 is just one of the many valuable units where young men and women can serve, and in the process gain valuable training and experience that can be of use in the business world.

Other Factors

Of course, there are other factors at play that have helped Israel position itself as a leader in this domain, beyond the young population, beyond the deliberate focus and support of the Israeli government, and beyond the fairly unique military apparatus which provides valuable training and experience.

These other factors include cultural aspects of resilience and innovation, access to academia for subject matter expertise, economic support for investments and growth in this space, and a startup mentality highly tolerant of failures — and more importantly lessons learned — to name a few.

In Israel, all of the factors mentioned above have contributed to creating a capacity for innovation and excellence in the cybersecurity domain. Just as importantly, the political and military leadership of the country are fully cognizant of that capacity and have decided to make it a national priority. As Dr. Eviatar Matania, Head of the Israel National Cyber Directorate, put it, “cyber is like the industrial revolution… We are just at the beginning of the cyber revolution… But we are going to be a cyber nation… as cybersecurity is a necessity to prosper.”

And as they say, the rest is history.

Our second article, “The Land of the Cyber Startups,” delves into the determined ways that Israel has been encouraging the growth of its cybersecurity sector.

Former Head of Shin Bet on Current State of Cybersecurity

This article explores what the former head of Shin-Bet, Israel's internal security service (equivalent to Britain’s MI5 or the FBI in the US), thinks of the current state of cybersecurity in the world today, and what can we learn from his warnings?

In June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. Among the key people we met and interviewed was Yuval Diskin, who headed Shin Bet (aka Shabak) from 2005 to 2011. Yuval is currently the Chairman of CyMotive, a company focusing on cybersecurity in the automotive industry. CyMotive was born out of a partnership with Volkswagen, which issued a press release in September 2016, touting the important role this new company would play for Volkswagen and the automotive industry:
The age of the connected car enables customers to use a variety of features inside modern vehicles. However, with increasing connectivity comes an increasing risk. Aspects such as intelligent and autonomous driving increase the number of interfaces in the vehicle and thus the risk of malicious attack.

Mr. Diskin quickly set the tone when it comes to the state of cybersecurity today, stating “attackers are very dynamic; defenders are very static, passive.” He went on to say that “interconnectivity is one of the biggest challenges” and that to prevent or detect attacks, you must extend your scope beyond the perimeter. The current approach deals with layers of defenses and incident response preparations, but both of those approaches require the organization to wait until an attacker has successfully compromised systems in order to react.

His approach? Leverage behavioral science to identify attackers, even before they’ve found you and successfully penetrated your defenses. “Behind every cyber attack, there is a human being…” he said, then explaining that the goal is to connect the dots to identify the humans behind the attacks. He coins his approach as “intelligence driven offensive defense” and warns that many organizations and leaders prefer “naive” solutions to their cybersecurity problems, alluding to the patchwork of controls that many organizations have deployed today, with 36% of banks reportedly using between 51 and 100 security tools.

“There is a real reason to be frightened by the potential of a cyber attack” he said, alluding that current activity is equivalent to child’s play (i.e. how a child explores his ability to impact the world around him, and test boundaries). So what are organizations to do? Instead of looking for new (cybersecurity) solutions he said, organizations should ensure that their cyber processes are consistent and maturing, and that the controls are effective.

So what are you waiting for? Go test your controls, before someone else does.