Page 1

STKI’s Cyber
40

Governance initiative

Life is like riding a STKI’s Cyber

bicycle. To keep Governance initiative
your balance, you
must keep
moving."
— Albert Einstein

STKI Company Confidential

 Page 2

41
41

It’s well known that so many Yet many executives believe it

companies get hacked will not affect them

Even the largest and most

prestigious ones

STKI Company Confidential

 Page 3

42

Cyber’s Problematic Reputation

“Cyber is holding us back from achieving all other initiatives”

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 4

43

Cyber governance initiative destination

Striking a balance between
the business needs and cyber,
Cyber, governance & compliance are crucial for the survival of organizations risk & compliance needs
But they are also holding organizations back in many ways.
Executives don’t fully comprehend the importance of cyber security and their
personal responsibility.

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 5

44
Cyber Governance Initiative

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 6

45
Determine business cyber
Demonstrate CEO main principles
BOARD their cyber
responsibility

Allocate cyber budget,

head count & org.
structure

Trek name:
Zero trust security: Get top management on board
45
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 7

46

Number of Employees/ Cyber personnel

Implement STKI’s market data &

Source: STKI staffing report best practices to receive
appropriate budgets and personnel!
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 8

47
Build cyber resilience
program

Build risk & cyber multi-

year program
Design holistic cyber
measurement program

Use “Israel National Cyber

Directorate” guidance and tools

Trek name:
Design a Cyber Governance Plan
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 9

48

Israel National Cyber Directorate guidance

will boost cyber security in Israel!
Especially for non-regulated enterprises

I don’t have enough

budget and resources
I can’t explain this to the
CEO\Board

Non-regulated CISO

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 10

49

49
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 11

50

50
Organizations that want to participate in the betta program can contact tora@pmo.gov.il
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 12

51

Don’t forget to secure the ENTIRE supply chain!

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 13

52

Take a deep breath. We’ve only just started.

STKI expects new regulation based on Israel National

Cyber Directorate guidance in several industries

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 14

53

Of boards are not trained to

deal with cyber security incidents!

Source: Einat Meyron cyber resilience consultant & The Cyber Security Source - 2017
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 15

54

CEO \ board member nightmare:

One Innocent phone call

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 ‫‪Page 16‬‬

‫‪Source: Einat Meyron cyber resilience consultant‬‬

‫הכנסתם‬ ‫‪ 55‬רוצה‬
‫אני‬
‫יישמתם המלצות‬ ‫זה קרה כי‬ ‫מנהל מו"מ‬ ‫לדבר עם‬
‫אומרים שלא תוכלו‬ ‫רגולטור?‬ ‫חסכתם‬ ‫לתמונה?‬ ‫המנכל‬
‫מי מייעץ‬
‫לעבוד כמה ימים‬ ‫בעלויות?‬
‫לכם?‬
‫איך זה משפיע‬
‫איזה כלי הגנה‬ ‫אדוני המנכל‪,‬‬ ‫על הלקוחות?‬ ‫איך זה‬ ‫תפסיקו את‬
‫העובדים שלכם לא‬ ‫מותקנים‬ ‫תתפטר?‬ ‫קרה?‬ ‫המסחר‬
‫יודעים מה לענות‬ ‫אצלכם?‬ ‫במניה?‬
‫אחריות‬
‫ללקוחות‬ ‫איפה היה‬ ‫של מי?‬ ‫יהיה פיצוי‬
‫הכשל?‬
‫מתי לאחרונה‬ ‫ללקוחות?‬
‫עדכנתם כבר את‬
‫בדקתם את‬ ‫איך תעדכנו‬ ‫ידוע אם זו‬
‫הרשות להגנת‬
‫המערכות?‬ ‫אותנו?‬ ‫עבודה‬
‫הסייבר?‬
‫ידוע לכם איזה‬ ‫כבר פרצו לכם‬ ‫פנימית?‬
‫נגנב מידע‬ ‫מעגלים נדבקו‬ ‫בעבר?‬
‫לקוחות צריכים‬
‫של לקוחות?‬ ‫בגללכם?‬ ‫העובדים‬
‫להתקין תוכנה‬
‫אומרים שאין‬ ‫כמה‬ ‫קיבלתם‬
‫חדשה אצלם?‬
‫איך הלקוחות מוודאים‬ ‫להם מושג‬ ‫מחשבים‬ ‫איומים‬
‫יש תוכנית‬
‫שלא נפגעו?‬ ‫מה קורה‬ ‫נפגעו?‬ ‫מקדימים?‬
‫חלופית?‬

‫זה ריגול‬ ‫יצרתם קשר‬ ‫איך זה משפיע על‬ ‫מתי תחזרו‬ ‫כמה‬
‫היה משהו מיוחד‬ ‫עם ההאקר?‬ ‫לפעילות?‬ ‫דורשים?‬
‫עסקי?‬ ‫הדו"ח הרבעוני?‬
‫בדרישה?‬
‫‪Copyright@STKI_2018 Do not remove source or attribution from any slide or graph‬‬

‫‪STKI Company Confidential‬‬

 ‫‪Page 17‬‬

‫קבלת החלטות בזמן שגרה היא המפתח‬

‫‪56‬‬

‫מי הצוות שינהל את המשבר מייד כשהוא מדווח?‬

‫מהן השאלות הקריטיות לתפקוד יעיל בזמן מתקפה?‬

‫מה נחשב דרמה ומה יסווג ברמת סיכון נמוכה?‬

‫האם יש פוליסת ביטוח? מה היא אומרת?‬
‫האם נדרש יעוץ משפטי נרחב יותר?‬
‫האם נהלי הדיווח לרגולטור הרלוונטי מוכרים?‬
‫האם נעשו מהלכים לביסוס קשר עם ה‪ CERT-‬הלאומי?‬
‫איך מנוהל הקשר עם הספקים\הלקוחות\בעלי המניות?‬
‫איך הארגון מתייחס לאפשרות תשלום הכופר?‬
‫מאיפה מגיע הכסף לתשלום הכופר?‬

‫‪Source: Einat Meyron cyber resilience consultant‬‬

‫‪Copyright@STKI_2018 Do not remove source or attribution from any slide or graph‬‬

‫‪STKI Company Confidential‬‬

 Page 18

57

Leverage the similarities between BCP & Cyber Resilience

And make them work together in collaboration

BCP
(Business Cyber
Continuity Plan)
Resilience

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 19

58
Look as GDPR
becomes standard
Keep up with existing
regulations

Implement Privacy
Protection Regulation

Trek name:
Adopt to changing regulations

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 20

59

GDPR Hype

GDPR is searched more

than Cyber Security

GDPR

Cyber Security

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 21

60

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 22

61

What does GDPR mean to our business? A lot!

The right to data portability allows individuals to obtain and reuse their
personal data for their own purposes across different services.
It allows them to move, copy or transfer personal data easily from one IT
environment to another in a safe and secure way, without hindrance to usability

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 23

62

It will also change many processes and interaction methods.

Example first engagement with client and his consent to continue with the process:

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 24

63

Consent Management
One of the new tools needed to maintain compliance

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 25

64
Some organizations will have to appoint a DPO under
GDPR law

Informs and advises the organization and its employees The first point of contact for supervisory
about their obligations to comply with GDPR and other authorities and for individuals whose data is
data protection laws processed
Monitors compliance with GDPR and other data Advises on data protection impact assessments
protection laws, including managing internal data
protection activities Trains staff and conducts internal audits.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 26

65
GDPR and Israeli privacy act are touching the same areas

source: konfidas
Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 27

66

Eventually, it will come… So be prepared

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 28

67
Embrace new technologies and
prepare for new vulnerabilities
Re-adjust cyber security program
Enforce patches
Applying to new devices
(watches, pumps, cars, etc.)

Automate Cyber
Embrace Operations and Use
DevSecOps AI\ML

Trek name:
Cyber Security Operations

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 29

68

DevSecOps Manifesto:

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 30

69

DevSecOps tools - Embed SDLC (Secure Dev. life cycle) tools

into CI\CD:
• Static analysis tools
• Dynamic scanning (auto pen. tests)
• Embed operations data (logs, customer inputs) with security inputs

Copyright@STKI_2018 Do not remove source or attribution from any slide or graph

STKI Company Confidential

 Page 31

70
70

Balance between business

needs and cyber, risk &
compliance needs

70

STKI Company Confidential

 Page 32

71

71

STKI Company Confidential