Locations:
Min Investment:
Max Investment:
Target Investment:
CISSP
(2010 - 2010)
CISA (Certified Information Systems Auditor)
(2013 - 2013)
2024
2024
2022
2022
2022 - 2024
2022 - 2024
Get sh*t done means squeezing 3 working years into one calendar year: **Security Projects:** -Established a top notch security team. -Implemented Security Program, adhering to industry best practices. -Led Security Steering Committee meetings monthly to ensure strategic alignment. -Managed SOC2 certification, enhancing security posture. -Orchestrated security incident response process, conducting tabletop exercises. -Directed SOX audit efforts, ensuring regulatory compliance. -Oversaw FDA new BLE submission, ensuring regulatory compliance. -Implemented Vendor Risk Management program, mitigating third-party risks. -Promoted endpoint security and standardization. -Introduced SIEM solution for security monitoring. -Managed penetration tests on company environments. -Deployed advanced security platforms (Cloud Security, ZTNA, Pipeline Security, Compliance Automation, Endpoint Security, Browser Security, WAF and more). **DevOps Projects:** -Established internal DevOps team, transitioning from outsourced services. -Unified AWS infrastructure, reducing operational complexity. -Aligned CI/CD processes, streamlining software delivery. -Enforced Infrastructure as Code (IAC) across environments. -Built and deployed unified monitoring platform. -Introduced EKS as new infrastructure. -Conducted Disaster Recovery Plan (DRP) tests. -Automated DB schema management and upgrades. -Migrated DNS to AWS and enhanced access control. **IT Projects:** -Established a team of IT pros. -Removed shadow systems and legacy services. -Migrated on-prem file storage to SharePoint. -Promoted Single Sign-On (SSO) across applications. -Established ownership and access controls. -Implemented access control and CCTV system as part of a new office move. -Created an SLA policy. -Automated company processes (on/off-boarding, service requests etc.)
2022 - 2022
2022 - 2022
I'm part of the executive team at Compete. In less than one year my team and I have built a mature security program from scratch. I have also led the IT, DevOps, MIS and Privacy domains in the company to support the below security initiatives and consolidate "security supply chain" under one team. Main security achievements: Foundation of the company's Security strategy; Serving as a liaison executive to address customers' security/privacy concerns. Including proactive participation in various meetings with prospects that led to contracts; An initial and then continuous risk assessment process; Establishment of a Security Steering Committee; Execution of a Privacy gap analysis and Privacy Program; Completion and re-certification of ISO/27001 and ISO27701; Establishment and maintenance of an on-going SSDLC and Threat Modeling process (including a bug bounty program); Creation of a security monitoring+alerting system; Creation and formalization of security workflows and procedures (Incident Response, security training, automation of security tasks like on/off boarding, re-certification, data classification and more); Deployment of various security tools to support the company's security Strategy (e.g: centralized access management system, centralized IDP and authentication service, centralized vendor risk assessment and management, CSPM/CDR, EDR, EASM, WAF, CI/CD Security, ZTNA, MDM, Data Encryption and more).
2019 - 2022
2019 - 2022
2020 - 2022
2020 - 2022
2019 - 2022
2019 - 2022
First CISO at Fiverr. From 450 to 1100 employees, from a private to a public company, 5 M&As, 26 dev teams, millions of active users. I have established the company’s security strategy from scratch. But I wasn’t alone. Together with my great managers, peers, team and other stakeholders, we have created a true security first mindset around the company. We have initiated and maintained security establishments that helped us keep security high on company’s agenda. For example: A solid and consistent Security Steering Committee with active C level executive roles, Security Guild and SSDLC program, Security and Privacy By Design program, An innovative IR plan that was constantly tested and challenged by attackers, continuous training and education programs and more.
2015 - 2019
2015 - 2019
Develops and communicates a credible, executable vision for improving security. Develops and delivers a repeatable risk assessments of 3rd party partners. Develops and operationalizes a risk assessments process that maintains plans to remediate risks, enable security capabilities, and respond to information security incidents and inquiries. Conduct and Lead regular cyber security incident response exercises across organizational lines, and continually improves response capabilities. Hands-on experience with various IT Sec tools (e.g: Cloud security and monitoring tools, Mail security, CASB, EDR, cyber deception tools, FWs, NAC, Access controls, monitoring, vulnerability management, IT configuration tools and more). Cloud security: Design OB's cloud computing security, management and monitoring capabilities (AWS, GCP). Develops, designs and implements executive and operational metrics/dashboard reporting to support information security group’s business objectives and strategic imperatives. Ensures the Information Security Function is strategically and effectively engaged with stakeholder and is meeting stakeholder expectations. Develops communication approaches and strategies, determines presentation focus and emphasis, and convey executive-level presentations. Develops programs for user awareness (train all employees of the company, conduct phishing simulations and other ad-hoc training stunts). Ensures endpoint compliance; maintaining information security devices and software; monitoring compliance procedures; and resolving security policy issues. Maintains a current understanding of the IT threat landscape for the industry; Translate that knowledge to identification of risks and actionable plans to protect the business; Interacts with existing customers and prospect regarding the security practices of the company. ISO 27001 compliance lead. Outbrain's GDPR project lead.
2012 - 2015
2012 - 2015
• Comprehensive management of information systems audits. • Planning and execution of technological audit projects in Bank Hapoalim, its subsidiaries (e.g. Isracard) and US branches in various technological fields: Cyber Security, IT Management and governance, Physical security, BCP/DRP, Software Development, Mobile security, information systems architecture and design, enterprise networking, IT operations, regulations and compliance, privacy, Risk Management Shadow IT and more. • In-depth and practical familiarity with banking regulation, relevant legislation and industry standards. • Delivering comprehensive audit reports and presenting them to auditees, senior management and the board of directors. •Proving excellent written and verbal communication skills, out-of-the-box thinking, self-driven personality, possessing both strategic and drill-down IT knowledge, a speedy adaptation capability to versatile change, discretion and integrity. • Leading research projects and promoting a culture of innovation across the audit department to support the bank's goals. Frequent speaker and moderator at professional events (both internal and public).
2007 - 2012
2007 - 2012
Founded in 1992, STKI (previously Meta Group Israel) is a leading market research and strategic analyst firm in Israel, covering the IT infrastructure, information security, applications and services. As a senior analyst I have covered new initiatives and strategies in the cyber security domain while introducing them to the Israeli CISOs. I was on-top of trends and technologies in most aspects of the security market (e.g: Cloud security, endpoints, network, data, mobile, physical, risk management and more). I was often requested to provide insights and guidance for CISOs, vendors and system integrators as for the best strategy prior and during implamantations of new security tools and methodologies. My services included: One-on-one meetings (with both working-bees and C-level execs alike); Moderation of round-tables (i.e: 3 hour sessions, 20-30 participants at a time); Analyst House Calls (periodic full-day sessions for both end-users and vendors to conduct tech deep dives); Replying to client inquiries; Conducting surveys and perform technology benchmarks, strategic marketing researches and more. I was a known trusted advisor and mentor for many start-ups making their first steps in the market. I was a frequent (and most wanted :-)) speaker at professional conferences.