While compliance with standards and regulations is necessary in cybersecurity, Ophir Zilbiger points out that compliance and effectiveness are separate issues. The head of the BDO Israel Cyber Defense Center says security can be compliant without protecting a business very well from cyber threats. Zilbiger explains that there are risks of non-compliance, but they should be managed separately from the risk of non-compliance. He says he’s learned that since risk is an issue shared by all parts of an organization, talking about risk is a good way for technicians to connect with business people in an organization. Zilbiger shares that introducing military thinking to the world of cybersecurity has brought a new and helpful perspective to the profession. The field is also evolving as customers are willing to try new technologies to combat the ever-changing and growing threat.
Today you are Partner Head of BDO Cyber of BDO-Israel and Global Cyber Leader at BDO. First, tell me about your own journey, and then let’s dive into the evolution of cyber as you perceived it.
I started my own journey with the right timing. That was just before the internet became commercial. I’ve had the opportunity to really be a part of the people who built the Internet as an infrastructure, not in a very significant role, but I’ve had the pleasure of seeing things firsthand as they matured, developed or were invented. I’ve been doing security since ’97. I started as a technician. I joined one of the big consulting firms. I learned to translate the technical knowledge into a business language. Then I had the opportunity to start a company in the field of cyber security. Then another company which led me to BDO who acquired this company in 2016.
Perhaps we can touch on this cybersecurity phenomenon in Israel. Because I work with clients and organizations around the world, everyone knows that cybersecurity is a phenomenon in Israel. I think if you look at the Israeli ecosystem, we see a lot of innovation related to cybersecurity, because a lot of people are dealing with cybersecurity challenges, whether it’s from a security or defense perspective, or from an offensive perspective, since they’re part of the intelligence agency or the army . This accelerated innovation development, heavily influenced here by the military, is hitting customers’ doors.
Because cyber is such a dynamic threat, customers are not afraid to employ startup or even immature technologies to help them with some of these challenges. What happens then is that the CISOs of these organizations mature in terms of the solutions they see and how they can implement those solutions. The regulators see that. The consultants sometimes have to chase after the client’s expertise. This creates a self-adapting innovation circle in which everyone is involved and from which everyone has an influence. This is one of the reasons, I think, why the Israeli innovation ecosystem works very well for startups and also for understanding the key challenges.
If you look at the way cyber is emerging from a category perspective evolution, do you think that’s a healthy evolution? How well did we do here?
Security really started in the 80’s. It started before the internet became a major phenomenon. We started with very simple things, like making sure people have a password to access the mainframe, or a set of permissions appropriate for specific datasets. These challenges have been with us for a very long time. From a technological point of view, the Internet brought with it a lot of new challenges. The world was beginning to take on the Internet at a very rapid, accelerated pace, and this has resulted in tremendous challenges. These challenges were initially placed on the IT people.
In the beginning the focus was very technical. There was no government. We did not use risk management. We didn’t use any of the methods we use today. It was sporadic and depended on technicians. This has been the case since about the commercialization of the Internet in 1994 and 1995, and up until a very important point in time that led to the second evolutionary wave: the collapse of Enron in 2002, 2003. It created the need for new legislation, which eventually became SOX, Sarbanes-Oxley. Sarbanes-Oxley began a period of approximately 10 years where the sole focus was on compliance. People focused on complying with SOX. Every organization was very busy with this. All vendors that have developed technology solutions for security have sold those solutions from a compliance perspective.
In those 10 years, maybe even longer globally, 2015, people’s main focus was on being compliant. The problem with compliance is that it has nothing to do with effectiveness. It really has to do with ticking the box. It’s less about whether we implemented the process effectively. The folks dealing with SOX have been mostly concerned with making sure the SOX controls are in place. But the people who actually did the day-to-day security were still the technical people, and there was a very big disconnect between the level of compliance that the organization reflected to the outside world and the day-to-day operations that the IT people did on their System implemented network. This created a large gap in practical security.
The reason we didn’t see this gap in this period is because the threat levels weren’t really there yet. The criminals were not ready, not that mature. But these 10 years allowed the criminals to become much more mature.
The third period in this evolution is the period where cyber is really about effectiveness and less about compliance. When secret services or the military enter the market, they bring military thinking with them. The profession began with technicians and compliance staff, but as we began to see a critical mass of military thinkers around the world pouring into the cyber business, it resulted in a merging of two distinct streams of development. One stream focused on IT, business, risk and compliance. The other stream was really involved in the information war. Then these military thinkers who were offensive security experts had a very interesting and unique perspective on how to defend an organization.
A fairly practical and easy-to-understand example is to look back at the standards being adopted for cyber securities around the world. Long ago this standard didn’t have the word “intelligence” at all because it wasn’t part of the profession as we had seen in the past. Today, cyber intelligence is a key element in any defense program. We experience this merging of these two professions today at a very high level of maturity.
Why have you been so interested in cyberspace over the past 30 years?
It was based on my passion for technology, which has always been there. Then, my biggest challenge over those long years was finding a way to talk about technology with top management, who usually – if you look back – didn’t have an internet background. You didn’t understand the threat. We had to speak a different language with them. One of the things that I think sparked my interest in the profession is this ability to speak to top management. As a technician, it has taken me a long time to properly connect with the business world and understand what the business looks like at the macro level.
I think one of the biggest recommendations I can give for really connecting with these business people is to use risk language. Risk is a common denominator between different parts of an organization. When you talk about risk, you’re actually talking about the business, you’re talking about what could go wrong financially. You can start by comparing the level of risk that different parts of the organization may be exposed to and prioritize them based on the level of risk. I see compliance as something that poses a very significant risk for some organizations. However, compliance is a very different risk from cybersecurity. These are two different risks that need to be managed separately.
I think another point related to my interest is to really help organizations to make sure they build the right defenses and are as resilient as possible to a cyber breach. One of the things we still see is that there are consistently large numbers of successful breaches. And I think you can ask, ‘Are we successful? What can we do better or differently?”
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors and an Investment Venture Partner at Secret Chord and J-Ventures. He studies artificial intelligence and human-computer interaction at Stanford University and was an engineer at Hippo Insurance. Matias previously served as an officer in Unit 8200. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders who share their journeys and experiences.
Contributing Editors: Michael Matias, Megan Ryan