Secret CSO: Rani Kehat, Radiflow

Name: Rani Kehat

Organisation: Radiflow

Job title: CISO

Date started current role: July 2021

Location: Israel

Rani Kehat is currently the CISO at OT security firm, Radiflow. He earned his experience in protecting operational technology through his background as a mechanical engineer and in data communication before moving into information security. Before joining Radiflow, he also held posts as an advisor to the military sector and in cyber solutions at Dell EMC.

What was your first job? My first role out of university was as a Mechanical Engineer. I’ve always loved to take things apart to see how everything connects at a granular level and then put them back together again, and my degree is in engineering, so it seemed a natural first step into the world of work. It really taught me a lot about the manufacture and maintenance of machinery.

How did you get involved in cybersecurity? I worked for a data communication company early on in my career and became really interested in how we can best keep this valuable digital currency safe. I then moved into the information security side of things so I could help understand how to do this and implement it. After this, I also became an advisor to the military sector – for both the Israeli Defence Force (IDF) and the Ministry of Defence.

What was your education? Do you hold any certifications? What are they? I grew up in Israel but went to British universities. I have a BSc in Engineering from City, University of London, as well as an MBA from the University of Manchester. I also hold security certifications CISSP and CISM (certified information security manager).

Explain your career path. Did you take any detours? If so, discuss. Probably the biggest shift in my career was moving from automation to IT.  I made the move in the mid-80s when IT, networking, Internet, Linux, and so on was all exploding, and as a young mechanical engineer I wanted to be where the action was.

Was there anyone who has inspired or mentored you in your career? I don’t have any one mentor I can point to who has guided me through my career, but I love collaborating with my colleagues at Radiflow because we’re all united by a common goal: to stop bad actors from breaching operational technology and putting safety at risk. When everyone wants the same thing within a business like this it really makes you feel a part of something.

What do you feel is the most important aspect of your job? Playing a role in bringing new solutions to the market that can keep pace with the constantly evolving threats hackers are developing.

What metrics or KPIs do you use to measure security effectiveness? The success of your cybersecurity is difficult to measure. For example, many believe that if you haven’t been hacked, your cybersecurity efforts must be working. This isn’t the case – it may well be that you just haven’t been hacked yet. Thankfully, there are methods to measure how well security practices are working; effectiveness of controls, corporate awareness and reporting of suspicious events, and mitigation RPO are among the most helpful here.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Yes, I don’t know many organisations that this isn’t affecting. We’re doing our best to invest in the people we have and upskill our internal workforce, but right now technical presale specialists and people with real, on-the-ground cyber experience are proving the hardest to find.

Cybersecurity is constantly changing – how do you keep learning? You have to keep learning in this industry have to submit CPEs which are proof of attendance to lectures and certificates to the CISM professional body.

What conferences are on your must-attend list? There are so many to choose from, but I’d say the absolute musts for me are RSA, Blackhat, S4, and Govware Singapore.

What is the best current trend in cybersecurity? The worst? API security is the best. APIs have become integral to programming web-based interactions, which means hackers have zeroed in on them as a key target. Zero Trust, on the other hand, has become a buzzword that in theory should reduce vulnerabilities but in reality is not practical to implement, slows down application performance, and hampers productivity.

What's the best career advice you ever received? To get formal professional certifications. Not only have these helped advance my career at every stage, but they have also ensured that my security knowledge remains up to date against constantly developing hacker tactics and techniques.

What advice would you give to aspiring security leaders? Learn about the technology itself not just about regulations and how to adhere to them. In addition to this, make sure you are well-versed in standards. Knowing how things work from the inside out is going to be your greatest asset in keeping networks and systems secure.

What has been your greatest career achievement? Convincing an Israel government agency to adopt an IP-phone – which uses an internet connection to send and receive voice data rather than over landlines. This was the first installation of such technology in Israel.

Looking back with 20:20 hindsight, what would you have done differently? I love my career and I am motivated by keeping networks and people safe. However, there is always a balance to be struck and looking back I do wish I had dedicated more time to my family as well.