Tal Goldstein is Head of Strategy of the World Economic Forum Centre for Cybersecurity. He leads the Centre’s public sector engagements and strategic initiatives, including the Partnership Against Cyber Crime program. Before joining the Forum, Goldstein took part in the establishment of Israel’s National Cyber Directorate, leading the formation of Israel’s national cyber security strategy. Prior to that, he served as an officer in Israel’s Military Intelligence Directorate. Goldstein, who holds a B.Sc. in physics and mathematics from the Hebrew University of Jerusalem, is s a graduate of the elite IDF Talpiot program, and earned a M.A. in economics from Tel Aviv University, recently spoke to The Innovator about how corporates can improve their cyber resilience.
Q: Both the U.S. and European governments are concerned about state-sponsored attacks due to tensions with Russia. What sort of preventative steps are you advising companies to take?
TG: This is not new. Companies have been facing threats from cyber criminals and state actors for well over a decade. We’ve already seen major impact at companies that never calculated that they were at risk from geopolitical or major cyber criminal threats so companies need to bring cybersecurity into their thinking, from the boardroom to the C-suite to the operational level. The Forum recently published a Cyber Resilience Framework and Cyber Resilience Index. The framework provides a foundation from which an organization can clearly define and understand what it means to have robust organizational cyber resilience. The index is a tool to help organizations quantitatively determine their cyber resilience using measures of performance against best practice. Together, the framework and the index seek to make sure corporate leadership has the right tools and understanding to achieve cyber resilience.
Q: Are companies doing enough to ensure their supply chains are protected?
TG: Protecting the supply chain is a great challenge that all companies are facing. Supply chains are a major vector used by nation states and cyber criminals. One way is by hacking a software and services used by many companies. The other type of risk is second degree: companies in your supply chain may be affected by cyberattacks and affect their ability to operate. We have seen some very serious incidents in the last couple of years, such as Solar Winds [a 2020 supply chain breach that allowed a suspected nation-state to gain access to the networks, systems and data of more than 30,000 companies and organizations, including U.S. government agencies, through the software of a provider called SolarWinds.] Many companies are trying to address this but are still learning; it is a very complicated issue. The main point is that this is an industry issue. The supply chain security challenge can’t be addressed merely by individual companies or even by individual countries. Supply chains are not bound by geography. Protecting them demands a high level of collaboration and harmonization and understanding of systemic risks. It’s why we published our Cyber Resilience Principles for Board and the Cyber Resilience Index, to ensure that companies are putting the right processes in place and as it progresses, to let them see where they stand in comparison with other companies in their industry. We have created a group for the oil and gas industry so they can discuss where they have shared risks and build ecosystem resilience. To build resilience not just supply chains, but ecosystems, need to be considered.
Q: How can we get more companies to be more open about their attacks and share information with each other?
TG: I helped establish Israel’s National Cyber Directorate and one of the things we understood was there needs to be a balance between centralizing and decentralizing security. To ensure cybersecurity we need to encourage information exchange and trust in engaged communities, then find specific areas and connect the dots between the different communities. There are a lot of public private discussions in different countries, but not all countries have the same access to international companies that play such a key role addressing cyber challenges at the global level. Different governments need to come together with global companies on an international level and that is exactly what the Forum is trying to do.
Q: Can you talk about the Partnership against Cyber Crime and the Cyber Crime Atlas initiative?
TG: The Forum has brought together a community of leaders from over 50 organizations, including global companies, law enforcement agencies and NGOs. We published a report that contains recommendations on how public and private stakeholders could work closely together to combat cyber crime. We are now working on a joint mapping of cyber crime, named the Cyber Crime ATLAS which is a collaborative research project which gathers and collates information about the cyber criminal ecosystem and major threat actors operating today. The objective is to facilitate cooperation between companies and law enforcement and create a shared knowledge base, with the objective of disrupting cyber crime and empowering legal authorities in investigations, take downs, prosecutions, and convictions. The World Economic Forum is the ideal facilitator to incubate such joint initiatives.
Q: What else is the Centre For Cybersecurity working on?
TG: As part of our flagship 2021 Outlook report we published a survey that showed there is a large gap between the way CISOs and CEOs perceive the cyber readiness of their organizations. We are trying to help bridge that gap. The Forum is also trying to encourage CEOs to be more collaborative. Much of the sharing that is currently happening between companies is led at the operational level. It is still a challenge to get the support of the CEOs to share more, but there is some progress. At the World Economic Forum Annual Meeting 2022 in May, 18 companies came together to take a Cyber Resilience Pledge, in recognition of the fact that much more collective preparedness is needed. The pledge aims to mobilize global commitment towards strengthening cyber resilience across industry ecosystems. Launched with the support of organizations engaged in the Forum’s Cyber Resilience in Oil and Gas initiative, the pledge seeks to empower organizations to take concrete steps to enhance cyber resilience across their industry. We would like to expand the pledge and get more and more industries involved, such as energy and transportation.
Q: What advice do you have for companies?
TG: This is not a topic leaders can delegate. Cybersecurity is a top business issue that they need to bring to their boards. CEOs need to understand the cybersecurity risks and CISOs need to understand the business concerns of the leaders and think about the business risks.
This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.
For more of The Innovator’s Interview Of The Week articles click here.