QOTD - Security & The Business - Which Objective(s) Are You Meeting?

When meeting with security leaders, directors should ask how their cybersecurity plan will help the company meet one or some of these objectives: revenue, cost, margin, customer satisfaction, employee efficiency, or strategy. While these terms are familiar to board members and business executives, security leaders may need guidance on how to frame their department’s duties in the context of business operations.
-- Sam Curry, Chief Security Officer at Cybereason

Src: HBR: Boards Should Take Responsibility for Cybersecurity. Here’s How to Do It 

QOTD - SEC Chair Clayton on Need for Cooperation

Cybersecurity must be more than a firm-by-firm or agency-by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the nation’s financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyber threats and respond to a major cyberattack, should one arise.
-- Jay Clayton, SEC Chair 

Src: Written Remarks before the Committee on Banking, Housing and Urban Development United States Senate, September 26, 2017

QOTD - SEC Chair Clayton on Cyber & Everyday Americans

Cybersecurity touches the daily lives of virtually all Americans, whether it is our accounts with financial services firms, the companies we invest in or the markets through which we trade. 
-- Jay Clayton, SEC Chair 

Src: Written Remarks before the Committee on Banking, Housing and Urban Development United States Senate, September 26, 2017

QOTD - SEC Chair Clayton on Cyber Risk Disclosures

[W]e are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches.
-- Jay Clayton, SEC Chair 

Src: Written Remarks before the Committee on Banking, Housing and Urban Development United States Senate, September 26, 2017

QOTD - Raskin on Cybersecurity as Shared Responsibility

Understanding and dealing with the cyber threat has, due to your efforts, seeped from the IT shop and into the CEO shop.  Responsibility is now shared. In fact, this new shared responsibility, among IT experts, the CEO, and the board of directors, has been the most noticeable trend in governance from my time in the industry, in state government, and in the federal government.  Bankers rarely used to talk to me much about cybersecurity.  Now, this is one topic that comes up every day.
-- Treasury Deputy Secretary Sarah Bloom Raskin

Src: Remarks of Deputy Secretary Raskin at The Texas Bankers’ Association Executive Leadership Cybersecurity Conference

QOTD - Admiral Rogers on Cyber War

Cyber war is not some future concept or cinematic spectacle, it is real and here to stay.
[...]
Conflict in the cyber domain is not simply a continuation of kinetic operations by digital means, nor is it some Science Fiction clash of robot armies.

-- Admiral Michael Rogers, Commander of US Cyber Command,
Testimony before US House Committee on Armed Service (May 2017)

Src: Docs.House.Gov

QOTD - Citi on Shared Responsibility

“Shared responsibility” means that risk and business management must actively partner to own risk controls and influence business outcomes.
-- Citigroup SEC filing, for Q4 2011

Src: https://www.sec.gov/Archives/edgar/data/831001/000120677412000799/citigroup_10k.htm

You Know It's BAD When Retailers Ask For New (Data-Breach) Laws



The fact is that hackers do not discriminate as to the type of business they attack. [...] Every industry sector – whether consumer-facing or business-to-business – faces data security threats that may put consumer data at risk.
Src: Retailers Cite Equifax as Need for Uniform Data Breach Law | Business Wire

QOTD - On Learning (New Things)

The further along you are in your career, the easier it is to fall back on the mistaken assumption that you’ve made it and have all the skills you need to succeed. The tendency is to focus all your energy on getting the job done, assuming that the rest will take care of itself. Big mistake.
[...]
The primary takeaway from Dweck’s research is that we should never stop learning. The moment we think that we are who we are is the moment we give away our unrealized potential.
[...]
The act of learning is every bit as important as what you learn. Believing that you can improve yourself and do things in the future that are beyond your current possibilities is exciting and fulfilling.
 -- Dr Travis Bradberry , Coauthor of Emotional Intelligence 2.0 & President at TalentSmart

Src: These are the skills you should learn that will pay off forever | World Economic Forum

Main Takeaways for CIOs from the Global C-Suite Study

Technological advances are transforming the way we connect, disrupting the status quo and creating huge turbulence. Industries are converging, and new opportunities and threats are emerging, as never before.

The pace of change is top of mind for CIOs. We live in an age where technology is nearly obsolete by the time it has been implemented and deployed. Gone are the days of 5-year and 7-year technology deployment plans, instead CIOs must oversee a near-continuous digital transformation of their enterprise, constantly. Add to that the critical nature of today’s technology infrastructure — i.e. can your business run without computers, networks, or the Internet — and you get a good sense for the level of stress CIOs are facing today.

In 2016, IBM’s Institute for Business Value (IBV) sought to explore the CIO’s perspective, , as part of a wider study focusing on the C-Suite. For the CIO angle, the IBV study interviewed 1,805 CIOs from around the world. The study sought to answer what the CIOs at the most successful enterprises do differently than their peers. They found a small, but distinctive group, representing about 4% of CIOs. Compared to the rest of the pack, this small group, termed the Torchbearers, stood out by their ability to be “creating intelligent, agile cultures; wising up to the needs of customers; and rewiring the way their organizations reason.” At the other extreme stood a large chunk of respondents (35%), termed Market-Followers for their lower market profile and stemming from less financially successful organizations.

When it comes to the factors that worry CIOs, 77% are worried about “the disruptive influence of new technologies” and the inability to see the next competitor in time to be able to react to them, a concern echoed by the rest of the C-Suite. Which new technologies did CIOs expect to have the most impact? They pointed to mobile solutions (71%), cloud computing (66%), and the Internet of Things (61%).

The Torchbearer Secret to Success?

No business can remain relevant by making ‘tweaks.’ The only way to stay ahead of disruptive change is to embrace it, which means being able to develop and release new products and services within weeks or even days.IBM IBV 2016 Global C-suite Study - The CIO Point of View

CIOs know that to be able to thrive — or just survive — in an era of converging industries, global competition, and high-speed innovation, they need to move towards technology investments that provide their organizations with insight and foresight, instead of a rear-view mirror vision of progress and capabilities. Seventy-one percent of Torchbearer CIOs consider the “strategic implications of new technologies,” looking to save costs but also add to the bottom line by stimulating innovation. But these CIOs also know that a traditional implementation model won’t cut it, which is why 90% of Torchbearer CIOs support agile innovation, compared to just 36% of Market-Follower CIOs.

CIOs today know they must continue to watch operating costs — in many cases do more with less — yet also provide great service quality, minimal downtime, increased agility, while also ensuring the security of the organization’s data. These are tall orders, and CIOs know that they do not have the in-house capability to deliver all these traits simultaneously.

Torchbearer CIOs are more likely to form partnerships to reap the full benefits of technological improvements. They realize the benefits of collaboration with others, not only leveraging their systems and capabilities to provide both the level and the range of services that are required for the organization to compete today, but also to continue to be competitive tomorrow. Yet all these systems and data are likely to use different operating platforms, and thus need to be integrated.

Takeaways for CIOs

But in order to provide this agility, CIOs need to rethink how they plan for and use technology to meet the ever-changing needs of the organization. Unless they have the luxury of time and the ability to manually integrate disparate systems, CIOs need help to improve the way they plan and manage the strategy around the automation and integration of IT infrastructure. This is where partnering with world-class enterprise service providers comes in. For example, in May 2017, the Everest Group named IBM as the Leader in IT Infrastructure Automation. They also pointed to IBM’s recent successes in leveraging cognitive computing to improve the way IT services are planned for, implemented, and delivered.

The most successful CIOs fully appreciate the need to forge alliances with the rest of the C-Suite, and they never lose focus on the value that they bring to all aspects of the business, from IT as critical business infrastructure, to maintaining a watchful eye over data, but also to investing in tools and technologies that will extract business intelligence out of the mountains of data. When it comes to competing and thriving in the global marketplace, Torchbearer CIOs have a strong focus on continuous technology improvements to not only drive efficiencies (e.g. savings achieved by leveraging cloud solutions), but also to provide insight and foresight, which requires leveraging technologies like cloud computing and cognitive computing (e.g., IBM Watson).
Like the rest of the C-Suite, CIOs know the pressure to provide better analytics. However, such analytics aren’t just limited to sales and marketing trends and results. Even IT can benefit from better insights into how current technology is or isn’t enabling the business to be more competitive. The question is, how are CIOs going to implement this agility, this capability to continuously adapt to change, and drive better performance and (technology) investment decisions. CIOs should look for an integration and automation partner entity that supports multiple platforms and ecosystems, supports automation, and that can provide the invaluable analytics needed to monitor service levels and drive improvements.
This post was brought to you by IBM Global Technology Services. For more content like this, visit ITBizAdvisor.com

CISOs Moving up in the Corporate Ladder? CIOs Shouldn't Be Worried


While Chief Information Security Officers (CISOs) are relatively new members of the C-Suite for many organizations, the continued worries about cybersecurity and data breaches have compelled CEOs and boards to reconsider the positioning of the CISO function in the organizational chart.
CISOs - A Rapid Ascent
According to a Forrester study from 2015, 35% of CISOs now report directly to the CEO or president of the organization. This reality is often a little challenging — if not impossible — for CIOs to digest. After all, why is it that someone who used to report to the CIO just a decade ago now gets unfiltered access to the top leadership, and often special budget lines?
A recent blog post characterizes the evolution of the CISO role thusly: “The Guardian and Technologist is giving way to the Business Strategist, the Business Enabler and the Trusted Advisor, who articulates risk, reviews metrics and reports regularly to the board.”
A January 2017 CIO article reported that organizations where the CISO still reports to the CIO had “14% more downtime due to security incidents.” And while the majority of CISOs still report to CIOs, this situation is fluid and evolving rapidly. A K-Logix study reports that when asked about where CISOs will be reporting in the future, “50% of CISOs responded that the role will report into the CEO.”

So, while it may be tempting to consider from a loss perspective, the CISO’s rise isn’t something that CIOs can do much about, at least given the current threat environment. Instead, CIOs can look at this change in the executive landscape as an opportunity to refocus their role, and rally around causes that are relevant to both CISOs and CIOs.
The CISO as a Potential Ally of the CIO
Choose your battles wisely. After all, life isn't measured by how many times you stood up to fight. It's not winning battles that makes you happy, but it's how many times you turned away and chose to look into a better direction. Life is too short to spend it on warring. Fight only the most, most, most important ones, let the rest go. C. JoyBell C.

For decades, a CIO was often the only technology-minded person in the C-Suite. The rise of the CISO means that the CIO has a potential ally within earshot of the CEO or the board. Yet CISOs are not seeking to replace CIOs, and CIOs can no longer look at IT risks as falling purely within “their domain.” The digital risk landscape needs — requires — a functioning relationship among these two giants of the world of data.

CIOs should grab this opportunity to revisit their relationship with the CISO, openly, and seek to patch things up, especially any disagreements from the past which could continue to poison the relationship.
CISO as A Strategic Partner
While a positive working CIO-CISO relationship is definitely a must, the global marketplace and the ever-increasing cybersecurity risks mean that to be truly effective, the CIO-CISO relationship should be that of a strategic partnership: CIOs and CISOs should forge an alliance to focus both on protecting and enabling the organization through smart, effective investments in security and technology.

For example, AI and cloud are changing the way organizations are doing business, leveraging on-demand computing and storage, bringing along cost-savings and increased agility, but also presenting new challenges to keeping track of IT risks, and preparing for the inevitable breach. By working together in a strategic manner, the CIO and CISO can lean on each other to provide, on one hand the IT and data infrastructure that keeps the organization running, and on the other hand, balances cyber risks to within acceptable levels, all the while maintaining a vigilant eye on the network, devices, and data, ready to respond when needed.

The CIO, as an experienced member of the C-Suite can start building this new level of relationship by offering to share their own lessons learned and experiences with joining the top leadership, and share their concerns about the overall digital strategy of the business. For some CIOs, relinquishing control will be more challenging, but one has to pick their battles, and the positioning on the CISO isn’t one worth hanging on to, at least not in the interest of the organization, the greater good.

This post was brought to you by IBM Global Technology Services. For more content like this, visit ITBizAdvisor.com

QOTD - Jay Clayton on SEC's Mission

Technology has become commonplace in our lives, including in our financial transactions, and cybersecurity should be a major concern for all Americans...
It is critical that we regularly assess the cybersecurity landscape and adapt accordingly as we strive to fulfill our mission.
-- SEC Chairman Jay Clayton

Src: https://www.sec.gov/news/press-release/2017-126

Podcast Notes - Six Point List for Dealing with Today's Cyber Attacks

I was recently on a podcast (to be released in the next couple of weeks) discussing current events, especially recent reports related to Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. Towards the end of the podcast, I was asked for some closing thoughts, which I organized into a six-point list:

  1. Attacks are happening. Accept this as fact!
  2. Look internally at your People, Processes, and Technology (PPT), and assess how resilient your PPTs are against the types of attacks that are happening.
  3. Start taking steps -- or more likely, improve your current steps -- to prevent, but also to detect and respond (as prevention will only get you so far).
  4. Patch, patch, patch.
  5. Test, test, test.
  6. Finally, because it's only a matter of time, the last item is: drill baby, drill.

Cyber Lessons from the 2017 Harvey Nash / KMPG CIO Survey Report

In May this year, Harvey Nash and KPMG released their 2017 CIO Survey report. The report looks at some of the key issues on CIOs’ radar, including how CIOs are handling changing times, the need for stable IT, the strategic influence of CIOs, issues leading to costly and failed IT projects, job satisfaction, and of course, the issue of cybersecurity.

We’ll cover the highlights of the report, and take a deeper dive on how the issue of cybersecurity which features prominently in the report, and share lessons on how CIOs can improve their organization’s posture.

Top (and Bottom) Priorities for CIOs

The top four priorities listed for CIOs are
  1. The need to deliver stable IT service to the business (63%, up 21% from 2016)
  2. Increasing operational efficiencies (62%, up 7% from 2016)
  3. Improving business processes (59%, up 3% from 2016)
  4. Saving costs (54%, up 8% from 2016)
In contrast, the bottom three priorities are:
  1. Reputation management via social media (5%).
  2. Achieving sustainable/green IT (6%).
  3. Investing in social media platforms (7%).

CIO Good News

Among the list of positive news for CIOs was their self-reported increase in their strategic influence: when asked if their influence was growing, 71% of CIOs responded yes, up from 67% in 2016. Not surprisingly, 62% of CIOs now sit on the executive board, up from 57% in 2016, a number that was below the 50% mark for the decade ending in 2010. This increased visibility is also confirmed with 68% of CIOs reporting having attended a board meeting in the last quarter, a figure that goes up to 85% when considered over a 12-month window. However this picture is skewed towards the smaller organizations, where it appears that CIOs have an easier time getting access to the board (72%, versus 65% for mid-size, and only 45% for large organizations). Similarly, CIOs at smaller organizations are more likely to report directly to the CEO at 45%, versus 27% for mid-size, and 17% for large organizations.

Where a CIO sits in the organizational chart makes a difference in their perception of job satisfaction: 44% of CIOs on the executive committee reported their roles as very fulfilling, compared to 42% of CIOs reporting to CEOs, and only 38% of CIOs reporting to CFOs. On the salary front, CIOs reporting to the CEO or the board reported larger salary increases (36% for CIOs under CEOs, and 35% for CIOs on executive committee) than those under the CFO (32%).

Managing Change

Managing change comes with the territory for CIOs. When asked about how they had adapted their technology plans to deal with uncertainty, CIOs reported creating a more nimble technology platform (52%), finding a way to work with restricted budgets (49% average, but more pronounced in small organizations at 51%), and investing more in cybersecurity (45% average, but much more pronounced in mid-size and large organizations at 55% and 53% respectively) as their top three.

The Cybersecurity Issue

While cybersecurity figures in 3rd place in the aggregate picture, it is the #2 issue for both mid-size and large organizations, just behind the need for nimble IT. For mid-size organizations, nimble IT ranks in the top spot at 56% while security is just below at 55%, with a similarly close picture for large organizations with 54% for nimble IT and 53% for security. Not surprisingly, cybersecurity was a regular topic in the top five categories of topics discussed when CIOs interacted with boards, along with IT strategy, IT investments, and digital transformation.

The report introduces the cybersecurity issue thusly: “Everyone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.”
Top concerns for CIOs include organized cybercrime (71%), amateur criminals (52%), insider threats (48%), but also spammers (39%), foreign powers (28%), and competitors (19%). More worrisome, when CIOs were asked about if they were “well prepared” for detecting and responding to cyber-attacks, only 21% responded yes in 2017, compared to 22% in 2016, 23% in 2015, and 29% in 2014.

As can be expected, large organizations are more likely to report having suffered a major attack in the past two years (53%) compared to mid-size (41%) or small organizations (30%). However, the lower numbers for the smaller organizations may also be a reflection of their less mature detection and investigative capabilities.

Many CIOs are left wondering if their organizations are truly secure, or whether a false sense of security has been allowed to take hold, with potentially disastrous consequences. Bob Kalka, Vice President IBM Security Business Unit, wrote a three part series on Questions Every CIO Should Ask the Cybersecurity Leader: part 1, part 2, and part 3.

Much More in the Report

The report also points to an increasing trend where a larger share of the IT budget is controlled or managed outside of IT, 40% in 2017, up from 38% in 2016, and 34% in 2015. This trend puts increased pressure on CIOs’ ability to effectively manage the relationship with the rest of the C-suite and the board to exert influence on how that share of the budget is being spent.


Overall, the 56-page report provides a snapshot of where a CIO sits compared to their peers, as well as highlights important trends to be aware of and key areas they should be focusing on.

This post was brought to you by IBM Global Technology Services. For more content like this, visit ITBizAdvisor.com

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 2: The Land of the Cyber Startups

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is the second of three articles that I wrote following that experience;  the first article, explored the question of  “Why Israel?

[T]he prominence of Israel in the technological field and in the cyber field have made Israeli companies very, very attractive. So because we have a lot of speed chess players, because we have hundreds of startups, because we have demonstrable success in providing solutions in this rapidly changing sphere, Israel has become an attractive target for cyber security investment, and I think if I tally it roughly as we can see, in 2016 we have about 20% of the global private cyber security investment around the world.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

In a previous article, we explored some of the factors that have contributed to positioning Israel as a potential leader in the cybersecurity innovation domain. However, potential isn’t always realized, but in the case of Israel, there is strong evidence that the formula for leveraging their special mix of circumstances into cyber startups and investments is working.

Growing Alliances

One cannot hear the Prime Minister and deny that Israel is a country deliberately focused on cyber. There is a palpable deliberate effort by government sector, financial sector, industry sector, and academia to come together and collaborate. This effort is having an impact on the way the rest of the world sees Israel, as evidenced by Indian Prime Minister, Narendra Modi, who visited Israel in early July, the first visit by an Indian PM. In part thanks to its cybersecurity expertise, Israel is being courted by many countries according to its PM.

At CyberWeek, representatives from the US government were also in attendance, marking a new level of collaboration. Thomas Bossert, Assistant to the President for Homeland Security and Counterterrorism announced the creation of a bilateral cyber working group to “stop adversaries before they can get into our networks and hold bad actors accountable.” According to Reuters, the working group will focus “range of cyber issues — critical infrastructure, advanced R&D, international cooperation, and workforce.” Bossert went on to explain one of the reason for working together: "[t]he agility Israel has in developing solutions will innovate cyber defenses that we can test here and bring back to America.”

From Alliances to Startups and Vice Versa

The two high profile announcements about collaboration will likely be a boom for Israel’s continued ability to produce hundreds of cybersecurity startups. How many startups are we talking about exactly? Reuters quoted a figure of 400, while other sources put that figure closer to about 350 startups. Regardless of the exact number — as by their very nature startups come and go, sometimes in a matter of weeks or months — Israel is at the forefront of the global race to innovate in the cybersecurity space. Several (former) cybersecurity startups have now reached global name recognition; here are just a few, whose name you might recognize: IAI, Check Point, Verint, CyberArk, ECI, ByNET, CyberX, BGProtect, Clearsky, Safebreach.

The vibrant amount of activity in Israel hasn’t gone unnoticed by the global investment community and the US. A recently introduced piece of legislation, Senate bill S.719, entitled “United States-Israel Cybersecurity Cooperation Enhancement Act of 2017” introduced in March 2017 might help the US adapt Israel’s recipe for success to further energize US activity in this key sector. The bill “requires the Department of Homeland Security (DHS) to establish a grant program to support cybersecurity research and development, and the demonstration and commercialization of cybersecurity technology.” Grant eligibility requires that “a project must be a joint venture between: (1) for-profit, nonprofit, or academic entities (including U.S. national laboratories) in the United States and Israel; or (2) the governments of the United States and Israel.”

Most companies in the cybersecurity domain are enjoying great levels of attention and success. For example, Israel Aerospace Industries Ltd. (IAI), which is the country’s largest aerospace and defense company (and government-owned), recently announced that it ended 2016 with over $100 million worth of contracts in “cyber-intelligence, cyber-forensics and analysis, and cyberdefense centers.” Its President and CEO, Joseph Weiss, recently said: “[w]e consider cyber to be a strategic field of activity and a growth engine at IAI, and expect it to continue to expand significantly in the coming years” adding that “[w]e will continue to invest in cyber companies and research and development centers in order to continue to expand in this field.”

Fuel for Startups

While the Middle East is known for its fuel reserves, startups require a different kind of fuel — financial fuel. From a global cybersecurity investment perspective, PM Netanyahu during his CyberWeek address mentioned that Israel had garnered double-digits worth of private cyber security investment from around the world in 2016. Added to the generous incentives provided by the government, such as a 4% tax rate for cybersecurity startups (compared to 25% tax rate for regular businesses), as well as seed money that need only be repaid if the startup is successful, the environment is highly conducive to having academics and former military elites join with business leaders in rapidly creating startups.

Globally, investors have proven eager to invest billions of dollars into this domain. From 2012-2016, VCs reportedly invested $12.5 billion worth of seed money (in over 1,200 startups), from $1.32 billion in 2012 to $3.67 billion in 2015 (global figures). From an Israeli perspective, the country saw the creation of 65 new startups in 2016 — putting the total number of companies active in cybersecurity at 365 — and “maintained its leading position as a global center of cybersecurity innovation” according to a data by the nonprofit Start-Up Nation Central. The amount of investment flowing to Israeli startups was second only to the US, but managed to grab 15% of the global venture capital flows. The amount of capital raised by cybersecurity startups in 2016 was reported to be $581 million, up 9% from 2015.

The figures below, about the number of active Israeli cybersecurity companies and the exit deals, are produced by Start-Up Nation Finder™, a free online platform providing data and opportunities for collaboration with Israeli high-tech companies and start-ups. The tool was also used to analyze the data as part of a report by Start-up Nation Central on Israel's Cybersecurity Industry in 2016 (SNC report).


Figure 1 — Active Cybersecurity Companies in Israel (src: SNC report, used with permission)


Figure 2 — Exit Deals for Israeli Startups, 2014-2016 (src: SNC report, used with permission)

Human Capital and Academic Expertise

Although financial incentives and easy access to seed money makes for a frantic level of startup activity, it is the ability for these budding companies to tap into a well trained workforce and expertise from academia that helps buds turn into full-bloom flowers. We’ll focus on academia next, since our first article in the series already covered many aspects of Israel’s workforce.

While many countries have reasonably close ties between academia, few countries display the level of collaboration, cooperation, and freedom of movement between industry, the military, and academia as Israel. The country’s leading academic institutions, such as Tel Aviv University (TAU) and Ben-Gurion University of the Negev (BGU) are not only home to cybersecurity research centers, but figure also prominently at the center of a hive of activity around startups, applied research, and technology transfer.

One such center of activity, Beersheba (also spelled “Beer Sheva”), is located 70 miles South of Tel Aviv. Beersheba has been called the Silicon Valley of Israel, and being home to BGU, it also showcases this tight collaboration between VCs, academia, and the military as the Israeli Defense Forces move a large portion of their activities to Beersheba. A key center in Beersheba is CyberSpark, an Israeli Cyber Innovation Arena. CyberSpark describes itself as “a joint venture of the Israeli National Cyber Bureau in the Prime Minister’s Office, Beer Sheva Municipality, Ben Gurion University of the Negev and leading companies in the cybersecurity industry.” Beersheba is now home to R&D centers for many global technology firms including EMC/RSA and Lockheed-Martin (LM), and the close proximity to BGU further fuels exchanges between students, industry, and academia, as exemplified by its close work with Deutsche Telecom.

Closing Thoughts

A fellow journalist described Israel’s approach to nurturing cybersecurity startups as “a potent mix of tight government oversight and large-scale public investment in education, talent identification and development and R&D.” Other countries seem to agree, and so do international investors.

Reflecting upon my first visit to Israel just last week, I have found the country to be both an innovator and an incubator. Israeli companies seem to be able to move fast, innovate, and when things don’t go well, learn their lessons and adapt. With a strong ability to leverage expertise found in academic and military sectors, combined with a strategic directive from the government to invest in cyber — both as a matter of self-defense as well as to tap into this new burgeoning market — Israel has quickly risen to be a key player in the global cybersecurity market, and is likely to continue its leading role for decades to come.

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 1: Why Israel?

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is one of three that I wrote following that experience.

A few years ago I decided to establish Israel as one of the five leading cyber powers in the world and I think by all accounts, we're there. But, the jury in cyber security is always out. And it's a constant challenge.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

How does a small country — with about the same population count as Switzerland — position itself to compete in the fast-pace cybersecurity global marketplace? In this article, we’ll explore the factors that have enabled Israel to position itself as a key future player in cybersecurity. In a follow-up article, we’ll look at how Israel has leveraged that potential into action, creating a marketplace for venture capital and innovation, resulting in hundreds of security startups.

Demographics

What is immediately noticeable when arriving in Israel is the number of young people around you. Unlike many of the largest countries and economies, Israel has a young, vibrant population, with over 43% of people aged 24 or under (CIA World Factbook). The median age is 29.7, compared to 37.9 for the US, 42 for Canada, and 42.7 for the entire European Union.

Population Chart for Israel, 2016 (src: CIA World Factbook)

Having a young population not only gives it a current and future stable workforce supply, it also means that a larger percentage of the population is going to be tech-savvy, having grown up in a world in which the Internet always existed, and being very comfortable with using and understanding technology, and the Web of Trust (WoT) that binds us all.

However, by itself, having a young population doesn’t mean that a country is poised to be a global player on the cybersecurity stage. So next, we’ll explore the role the government has played in shaping this nation to be a key player in cybersecurity.

Cyber — A Government Focus & Priority

While a growing number of governments around the world are proclaiming their desire to boost their cybersecurity workforce, nowhere is it more evident than in Israel. Attend any cybersecurity conference in Israel and you’ll inevitably run into dozens of key government leaders, from multiple sectors including the economy, import/export, the military, but also education and academia. Don’t be surprised if the head of the country pops in to make a short speech about the importance of the cyber domain to Israel’s future, as Prime Minister Netanyahu did on June 26th at the start of the CyberWeek conference at Tel Aviv University:

Cyber security is serious business. It's serious business for two reasons: the first reason is that it's a serious and growing threat. And it's a growing threat everywhere because everything, every single thing is being digitized. And the distinction between hi-tech and low-tech is rapidly disappearing. And as that happens in one country after another, in one industry after another, in one critical infrastructure after another, and as we enter the world of the internet of things the need for cyber security is growing exponentially.
[...]
Our decision in this case was to create a national cyber defense authority and we are organizing them around the cyber net so that everybody has secure information between the government and the various organizations and the business organizations. We can communicate in a secure way and the parties inside the net can communicate with each other. Not only to respond to attacks but to prevent them, to prevent them by early warning, to prevent them also by guidance, by teaching a systemic doctrine to the extent that you can be systemic in this business.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

A Military Affair

The government’s role in leading the effort to position Israel as a leader in this space is undeniable. However, growing a cybersecurity workforce comes much easier to Israel than to the rest of the world, due to Israel’s need to protect itself from what they call “not so friendly neighbors.”

In many developed countries, the workforce supply in the cybersecurity domain is stretched thin, often with minimal or negative unemployment rates in the field, leading to many companies poaching the best security folks from their competitors, and leaving the government sector with a near-empty pool of applicants as government salaries are much lower, often on the order of 20%, 30%, even 40% lower, and the barriers to entry much higher (i.e. advanced degrees, clean record, drug tests, etc). A 2016 Indeed article compared the salary, adjusted for cost of living differences, of an information security specialist with three years of experience in Minneapolis ($127,757) with that of someone in Arlington VA ($74,254). The numbers speak for themselves.

In Israel the cyber workforce situation is much different; the Israel Defense Forces (IDF) provide the country with a fresh, auto-renewing supply of talented youths that have often signed up for extra tours of duty in some of the elite units of the IDF (e.g. the famous unit 8200, where many of today’s cybersecurity entrepreneurs once served). According to Wikipedia, the number of people reaching military age annually (estimates for 2016) is 60,000 males and another 60,000 females. While that number is by no means large, the experience instills in the conscripts many key values that lasts for decades after they’ve left their defense units and integrated the workplace.

One of the most privileged spots in the IDF is unit 8200 which is often referred to as Israel’s equivalent to the NSA. Unit 8200 is an intelligence unit, responsible for collecting signal intelligence (SIGINT) and code decryption. Unit 8200 is just one of several sought after units in the Israeli Intelligence Corps, which is “responsible for collecting, disseminating, and publishing intelligence information for the General Staff and the political branch” and also to engage “in counter-intelligence and information security work, and presents general assessments.” Several alumni of unit 8200 “have gone on to found leading Israeli IT companies, among them CheckPoint, Imperva, Incapsula, CloudEndure, Cybereason, ICQ, LightCyber, NSO Group, Palo Alto Networks, indeni, NICE, AudioCodes, Gilat, Leadspace, EZchip, Onavo, Singular and CyberArk.”

However, unit 8200 is just one of the many valuable units where young men and women can serve, and in the process gain valuable training and experience that can be of use in the business world.

Other Factors

Of course, there are other factors at play that have helped Israel position itself as a leader in this domain, beyond the young population, beyond the deliberate focus and support of the Israeli government, and beyond the fairly unique military apparatus which provides valuable training and experience.

These other factors include cultural aspects of resilience and innovation, access to academia for subject matter expertise, economic support for investments and growth in this space, and a startup mentality highly tolerant of failures — and more importantly lessons learned — to name a few.

In Israel, all of the factors mentioned above have contributed to creating a capacity for innovation and excellence in the cybersecurity domain. Just as importantly, the political and military leadership of the country are fully cognizant of that capacity and have decided to make it a national priority. As Dr. Eviatar Matania, Head of the Israel National Cyber Directorate, put it, “cyber is like the industrial revolution… We are just at the beginning of the cyber revolution… But we are going to be a cyber nation… as cybersecurity is a necessity to prosper.”

And as they say, the rest is history.

Our second article, “The Land of the Cyber Startups,” delves into the determined ways that Israel has been encouraging the growth of its cybersecurity sector.