ICL Risk Management: Risk Management in the Age of Cyber ​​and War

Goili, with 18 years of experience in the field (among other things in Netiv Israel and financial institutions), currently manages the risk map of a global industrial “monster”. In a conversation with cyber risk expert Einat Miron, she breaks down the big mines: from cyber attacks that shut down factories, through geopolitical crises to the introduction of AI into the organization.

“If I used to be able to take out and receive goods quickly, today the route is longer”

“The biggest challenge in my eyes is the versatility and geopolitics. The organization is global, but it is affected by everything that happens outside. If we take the last five years, we have gone through tremendous upheavals: Corona, the terrible massacre of October 7, the war in the north, Iran. All of these directly affect the image of an Israeli organization abroad. It affects sales, the ability to do research and R&D with academia abroad, and even the plans of the Union European that were in danger of cancellation”.

“I completely agree with you. The regulation is a guideline, it is not the essence. We must not manage risks through Excel tables and checklists just to say “we did”. I do not conduct conversations with management members through Excel. When I sit with a manager, I do not ask him where he stands in the table. I ask: What is your strategy? What will happen if production is damaged? How do you minimize the damage? Paperwork is important for documentation and audit, but The essence is to decompose the risk into business processes. I do not come from a place of criticism, but as a partner who wants to prevent the next event.

Goili: True, and it’s important to say this – there is no body in Israel, certainly at a time like this, that does not deal with dozens if not hundreds of attempted attacks a month. There are a lot of ‘in-house’ brakes that we don’t hear about. Therefore, the approach must be that the method is only the pavement, not the road itself. I do not sit with the cyber manager on every principle in the ISO standard. I sit with him and ask: Where can this come from? From the emails? Third party provider? How do you block it? We are talking processes, not clauses.

“It’s not a cyber event, it’s a business event”

“And this is a mistake. When there is a cyber incident, the cyber manager manages the technical incident – what leaked, who penetrated. But around this incident many things happen that affect the organization, which are not technological. For example: the plant cannot work? What does that mean? Do we switch to manual work? Are there checklists for this? How do you communicate this to customers who currently will not receive goods? How do you report to the regulator? When do you activate the legal advice to inform suppliers that information has been leaked?”

“These are questions that the cyber manager is not available to answer in real time. This is where the risk manager who sees the holistic picture comes in. The risks associated with the cyber incident – the damage to the reputation, the lawsuits, the stoppage of production – can be more expensive and destructive than the hack itself.”

“Unequivocally. In the worlds of OT (operational technologies), the damage is physical and painful. When we do a business continuity process (BCP), we look for the critical points. I have met factory managers who are sure that everything is backed up, and then when they dig they find out that there is one critical machine, and if it is damaged or drops below a certain temperature – there is no machine. That’s it. There’s nothing to do and that’s the event.”

“This is critical. Imagine an attacker who takes over a system and controls the calibration of a machine. It is enough that he changes a millimeter, or changes the timing of the components – the entire production line goes to waste, or worse, safety damage occurs. That is why we must map these points in advance and know how to manage inventories manually if necessary. We were not born with computers, we need to know how to return to the old methods in an emergency.”

“There was an expectation that because I am the woman in the room, I would be the one to write down the protocol”

I don’t talk to them in academic terms. I’m talking about their Day to Day. If I come and say ‘there is climate regulation’, they will tell me ‘leave me alone, I have problems now’. But if I explain to them: ‘In four years the market will change, and if we don’t prepare now, we will lose market segments and it will cost us a fortune’ – they listen. I connect the risk to money and business continuity. I show them how a flood in Brazil affects the prices of our goods, or how the drying up of the Rhine River in Europe prevents ships from transporting goods. When they understand that the risk is not theoretical but hurts the supply chain and the bottom line – they are with me.

“True. In every risk there is an opportunity. We began to identify the introduction of AI as an emerging risk when we realized that employees were starting to use it in a pirate way. We convened a forum of lawyers, cyber, infrastructure and HR to understand how to enable the organization to run forward without revealing commercial secrets. Today we are developing an AI-based internal risk management system at ICL. We have developed an “agent” that knows how to read the risk descriptions, the the controls and the work plans, and offer KRIs to managers in an automatic way, instead of going through thousands of risks manually, the system tells me where the problems are – and everything is in a closed and secured environment, without the information getting out.

“It’s a complex issue. On the one hand, I’m a feminist who believes that the person does the job. On the other hand, the reality is that most of the board members are men. I’ve sat on boards of directors and management where I was the only woman in front of a line of men, most of them military veterans with senior ranks, and there was an expectation that because I’m the woman in the room, I’ll be the one to write down the protocol. Just like that. And then I have to stop and say: ‘I’m here to manage the risks, not to write down a protocol. This is a necessary moment Break it. Why would someone put me in this slot after 18 years of experience, education and achievements?”

“Very much. And so my message to women is: don’t listen to the background noise. Believe in yourself. Don’t give up on yourself, and demand that you be judged by the value you bring to the table, not by gender. I want to get to a point where we don’t have to talk about it at all, that it won’t be “personal”. But until that happens, we have to stand our ground and not apologize.”