You can only imagine what the telephone call log looked like for A, the data security manager for the Israeli insurance company Shirbit after it became the victim of a hacking attack at the end of November that exposed sensitive information about employees and customers.
A instantly became the man of the moment, who had to provide answers and explanations to his CEO as well as the National Cybersecurity Authority and other government bodies.
Bibi gets immunity – just not the kind he really wants. LISTEN to Haaretz Weekly podcast
A’s job title of chief information security officer is a relatively new one in the business world whose powers and responsibilities are often inadequate to the challenges. That has become increasingly evident amid a wave of cyberattacks against Israel in recent weeks.
The attack on Shirbit was one of the first of the attacks, the most prominent of which has been the Pay2Key attack attributed to Iranian cybercriminals. Pay2Key has targeted at least 80 Israeli companies and has claimed, among its victims, government ministries and state-owned defense company Israel Aerospace Industries.
The attacks have underscored how ill prepared Israel is to deal with this threat, despite its global image as a cybersecurity powerhouse.
Being a CISO is a demanding job that requires its best practitioners have two completely different skill sets.
“A CISO is someone who is deeply implanted in the world of data security, a complex world that you can’t become expert in quickly. But a CISO also needs to be a person with influence inside the business,” said Asaf Weisberg, a member of the board of ISACA, an international professional association focused on information technology governance.
- Who's behind this week’s massive cyberattack – and why Israel should worry
- Hackers break into leading Israeli insurance firm, leak personal details
- Cyberattacks on Israel: The state’s stupidity is putting officials at risk
“You can look at a CISO as the person who explains cyberthreats to management and clarifies their business implications. The CISO can show what threats exist and say ‘This could cause service interruptions or a leak of sensitive information’ and then what.”
But as much as CISOs turn into the point people at a time of crisis, they are often hamstrung by their status in the organization, said Einat Meron, who advises companies and organizations on cybersecurity.
“He has a lot of responsibility but very little authority. He’s the ‘bad guy’ in normal times because he’s the one who prevents employees from going to websites like Ali Express or prevents them from sending corporate presentations over their private emails. But when all is said and done, he’s the man everyone points a finger at when a cyberattack occurs,” she said.
In fact, a surprisingly large number of Israeli companies have no CISO at all. A survey by the National Cybersecurity Authority found that 25% of surveyed businesses had no one in that role. Another 58% gave responsibility for security to their IT or network manager. Only 23% actually employed a CISO.
Even when there is a CISO, he or she may not have the resources to do the job properly.
“I’m the only one responsible for data security but with the workforce I have I can’t monitor each and every system,” said the CISO at a large Israeli hospital who spoke on condition of anonymity. “I can’t see what’s happening in every network because the kind of tools that would enable me to do that are too expensive. Even our public website isn’t encrypted.”
A former employee of Sapiens alleged that prior to a ransomware attack on the Israeli insurance-tech company earlier this year its top executives hadn’t taken the proper steps to protect the company’s data.
“Over the years I warned about data security weaknesses and monitoring tools. Management decided to look the other way and opted for inappropriate solutions,” the ex-employee wrote on a social media website. Sapiens declined to comment.
>> Do you work in Israeli hi-tech and have a story to share with us? We can promise full anonymity: Click here to send us an encrypted email
One way of knowing how much influence and power a CISO has in an organization is to see where he or she sits in the corporate hierarchy, said Sigal Russin, who has worked as a CISO in several organizations, including the insurer Hapool, which manages mandatory auto coverage. “Except for banks and the big insurance companies, where the CISO is a member of the management board and reports directly to the CEO, the CISO is usually subordinate to the IT manager,” she said.
Having a CISO report to an IT manager is problematic. “It creates a built-in conflict of interests because the IT manager always wants to introduce and encourage the use of the systems and the CISO wants to delay – he’s the policeman. So, when the CISO is subordinate to the IT manager, he has less influence in the organization and his budget depends on the IT budgets. His approach is less businesslike,” said Russin.
Meron, who has worked with scores of CISOs, agrees. “The CISO is usually a weak figure,” she said. “They’re four tiers away from the CEO. They are undermined by their lack of authority and for everything they need they have to go to the IT manager. Another problem is that many CISOs work for several organizations.”
The problem isn’t unique to Israel. Splunk, a U.S. company, publishes an annual list of “10 things that keeps CISOs up at night,” and this year’s includes the expanded “attack surface” created by the growing use of the internet of things (web-connected devices) and the growing use of cloud computing, “malicious insiders” and the “alert fatigue” resulting from so many layers of data security inside a big organization.
But apart from that, Splunk notes the lack of money to ensure data security. “CISOs continue to face challenges in securing substantial budgets, largely because they have difficulty forecasting threats and achieving measurable results from security investments,” wrote expert Oliver Friedrichs.
He said 66% of CISOs surveyed said they didn’t have adequate staff. Others cited increasingly onerous regulations and their lack of access to top management.
In 2016, Israel’s insurance commissioner issued a directive on cyber risk for big companies, such as Shirbit. Among other things, it mandated appointing someone as “cyberdefense manager with proven expertise and experience in management positions in the field of cyberdefense.” It also specified that the manager “will not hold any position that may harm his ability to act appropriately in his job” and that he will get the “resources to carry out his role.”
However, the profile of A on LinkedIn showed that he wasn’t employed at Shirbit but a subcontractor working for the cybersecurity company White- Hat. It appears that he has no degree in IT, management or computer science; rather, he completed an information security course at HackerU. Meron said in research she conducted on the Shirbit attack she found that A worked at the insurer only two days a week.
In that respect, A is not unusual. Other LinkedIn profiles of CISOs at smaller insurance companies show that they also rely on subcontractors and that employing part-time CISOs is standard practice.