20-Minute Leaders“Because cyber is a dynamic threat, clients are not afraid of using immature technology.”
“Because cyber is a dynamic threat, clients are not afraid of using immature technology.”
While complying with standards and regulations in cybersecurity is necessary, head of BDO Israel Cyber Defense Center Ophir Zilbiger points out that compliance and effectiveness are different issues.
While complying with standards and regulations in cybersecurity is necessary, Ophir Zilbiger points out that compliance and effectiveness are different issues. The head of BDO Israel Cyber Defense Center, he says security can be compliant without being very good at defending an organization from cyber threats. Zilbiger explains that there are risks for not being compliant, but they should be managed separately from the risk of breaches. He says that he learned that speaking in terms of risk is a good way for technical people to connect with business people in an organization, as risk is an aspect shared by all parts of a company. Zilbiger shares that the infusion of military thinking into the cybersecurity world has brought a new and helpful perspective to the profession. The field also evolves as clients are willing to try new technology to combat the ever-changing and growing threat.
Today, you’re a partner head of BDO Cyber of BDO-Israel and global cyber leader at BDO. Tell me first about your own journey, and then let’s dive into the evolution of cyber as you've perceived it.
I started my own journey with the right timing. It was just before the internet became commercial. I've had the opportunity to really be a part of the people who built the internet as an infrastructure, not in a very significant role, but I've had the pleasure of really experiencing things firsthand as they matured, developed, or were invented. I've been doing security since '97. I started as a technical person. I joined one of the big consulting firms. I learned how to take the technical knowledge into a more business language. Then I had the opportunity to start a company in cybersecurity. Then another company, which led me to BDO, who acquired that company in 2016.
Maybe we can touch this phenomenon of cybersecurity in Israel. As I work with clients and organizations around the world, everyone knows that cybersecurity is a phenomenon in Israel. I think when you look at the Israeli ecosystem, we see lots of cybersecurity-related innovation coming out because a lot of people are dealing with cybersecurity challenges, whether it's from a security or defense perspective or from an offensive perspective, as they are part of the intelligence corps or the army. This accelerated innovation development, which is highly influenced by the military here, is hitting the doors of clients.
Because cyber is such a dynamic threat, clients are not afraid of using startup or even immature technology to help them with some of those challenges. What's happening then is that the CISOs of these organizations are getting more mature in terms of solutions that they are seeing and how they can implement those solutions. The regulators see that. The consultants have to chase the expertise of the client sometimes. That creates a self-fitting innovation circle that everyone is involved with and everyone is influencing. That's, I think, one of the reasons why the Israeli innovation ecosystem is working very well for startups and also for understanding the main challenges.
If you are looking at the way that cyber is formed from an evolution of the category perspective, do you consider it a healthy evolution? How well did we do here?
Security started really in the ’80s. It started before the internet became a significant phenomena. We started out with very simple things, like making sure that people have a password to access the mainframe or set of permissions that are appropriate to certain data sets. These challenges have been with us for a very long time. The internet brought huge amounts of new challenges from a technology perspective. The world started to adopt the internet in a very fast accelerated motion and that created huge amounts of challenges. Those challenges were thrown at the IT people in the beginning.
In the beginning, the focus was very technical. There was no governance. We didn't use risk management. We didn't use any of the methods that we use today. It was sporadic and dependent on technical people. That was the case since around the internet’s commercialization in '94 '95, and all the way to a very important point in time that led to the second wave of evolution: the collapse of Enron in 2002, '03. It created the need for new legislation, which was eventually called SOX, Sarbanes-Oxley. Sarbanes-Oxley started a period of time of about 10 years in which the only focus was compliance. People were focused on being compliant to SOX. Every organization was very busy with that. All of the vendors that created technology solutions for security sold those solutions from a compliance perspective.
During these 10 years, maybe globally even longer, 2015, people were mostly focused on being compliant. The problem with compliance is that it doesn't have anything to do with effectiveness. It really has to do with checking the box. It's less about whether we implemented the process effectively. The people that were dealing with SOX were mostly engaged in making sure that the SOX controls exist. But the people who actually did the day-to-day security were still the technical people, and there was a very big disconnect between the compliance level that the organization was reflecting outbound and the day-to-day operation that IT people did on their network. This created a huge gap in practical security.
The reason why we haven't seen this gap in that period is because the threat levels were not really there yet. The criminals were not ready yet, not as mature. But those 10 years allowed the criminals to get a lot more maturity.
The third period of time in that evolution is the period of time where cyber is really about effectiveness and less about compliance. When intelligence corps or military people go out to the market, they bring some military thinking. The profession started with technical and compliance people, but when we started seeing a critical mass of military thinkers infused into cyber business around the world, this created a fusion of two different streams of development. One stream was focused on IT, business, risk, and compliance. The other stream was really involved with information warfare. Then these military thinkers who were experts in offensive security had a very interesting and unique perspective on how to defend an organization.
One example that is quite practical and simple to understand is if we look back at the standards that are globally adopted in cyber securities. A long time ago, this standard didn't have the word “intelligence” in it at all because it wasn't part of the profession in terms of how we thought about it in the past. Today, cyber intelligence is a key element in any defense program. We are seeing this fusion between these two professions today at a very high level of maturity.
Why are you so interested in the cyber space over the last 30 years?
It was based on my passion for technology, which was always there. Then my biggest challenge throughout these long years was to create a way for me to talk about technology with top management who usually—if you look back—did not have any internet background. They didn't understand the threat. We had to speak a different language with them. One of the things that I think kept me interested in the profession is this ability to speak with top management. As a technical person, it took me a long time to connect to the business world properly and to understand how business looks at the macro level.
I think one of the biggest recommendations I can give in terms of how to really connect to those business people is using risk language. Risk is a common denominator between different parts of an organization. When you talk about risk, you actually talk about the business, you talk about what could go wrong in financial terms. You can start comparing the level of risk that different parts of the organization can be exposed to and start prioritizing those based on the level of risk. I see compliance as something that is a very significant risk for some organizations. But compliance is a very different risk from cybersecurity. Those are two different risks that need to be managed separately.
I think another point, in terms of my interest, is really to help organizations make sure that they build the right defenses and be resilient as much as they can to a cyber breach. One of the things that we still see is that there is a huge amount of successful breaches all the time. And I think one can ask, "Are we successful? What can we do better or different?"
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors as well as investment Venture Partner at Secret Chord and J-Ventures. He studies Artificial Intelligence and Human-Computer Interaction at Stanford University, and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan