The Gili Ra'anan Model and CISOs

Caute_cautim · ‎06-25-2024

Hi All

I originally came on the original post within LinkedIn, what are you thoughts?

Original from: Robert Hansen - Managing Director - Grossman Ventures

Over the last week several polls about the supposed "Gili Ra'anan model" which allegedly compensates CISOs for preferentially buying products and services. Whether this is a real thing or not I cannot say for sure, but by judging a lot of the feedback I got offline and off-the-record I would say it is likely very prevalent. Here is some analysis from those polls:

First, it's worth noting that even if this isn't a real thing, the possibility of corruption seems to get people upset. It's understandable as unfairness may affect a lot of people who may otherwise work for great companies competing with inferior products that use bribery schemes to get traction. If a CISO chooses a product purely based on lining their pocket book, it is questionable if the product is any good, or worse-yet if it will even be used at all. This might explain the prevalence of shelf-ware that never gets deployed. This could be making a lot of companies far less secure than they could be if products and services were chosen on merit/utility/need and price.

On a personal note, if the "Gili Ra'anan model" is real, out of all the ramifications it is the possibility that we are all unnecessarily less secure that bothers me most. If you believe that security actually matters, and I tend to think it does, then such behavior is dangerous. But how would we know if a CISO was involved in such a scheme?

Over half (56%) of respondents believe that if if they find that a company is known to be using bribes, they would assume that a CISO's endorsement of said company would mean that they were likely profiting from it. Only 35% felt that the CISOs would be innocent until proven guilty. That is only a perception, but it's telling of how careful a CISO must be to keep their image clean. There are many other signals that careful OSINT could use to uncover these connections, including scanning and correlating social media profiles, advisory board pages, and so on.

Even if it turns out such a thing were currently rare, due to the disclosure of this model, 44% of respondents think that it will increase in popularity, and another 33% don't believe it will have a chilling effect. If 77% of people believe that the disclosure of the "Gili Ra'anan model" will have no positive effect then doing nothing doesn't seem to be an option, if we believe corruption is bad for security and unlikely to decline.

But where is the harm? Many crimes go un-litigated because finding a victim is difficult. Sure, if the company is breached and it turns out that money was misappropriated that might open the CISO to litigation. But there's a more direct harm to the company as well. 79% of respondents said they would be less likely to buy a product or service from companies that had CISOs who took bribes. This is likely due to personal distaste, but also might have to do with the fact that the company is perceived to be mismanaged and less secure as a result of that CISOs actions.

I then chased down the original article here: See attachment too:

https://www.calcalistech.com/ctechnews/article/b1a1jn00hc

Something to consider, which a properly run procurement unit within an organisation would not permit at all, as it would break all organisational and international rules.

Regards

Caute_Cautim

CISOScott · ‎06-27-2024

If you are taking stats I have yet to be offered a bribe. Not that I would accept it of course, but this "model"
is the first that I and my peers that I have talked to have heard about this. Are we naïve enough to think that bribes, kickbacks, special favors, etc. are being offered to some people? No.

It would be foolish for a company to advertise that they will compensate you if you pick from their vendors. And more foolish for someone who is participating in this endeavor to make it known that they are doing this.

For me it reminds me a little of places like what is alleged to have gone on in the island of Jefferey Epstein. Bring people in, video them in compromising/illegal/taboo situations, then blackmail them to get them to continue to do what you wish.

If anyone was thinking of doing the model mentioned (taking compensation for selecting a vendor based on you being compensated as the reason you chose that vendor) keep in mind that it is illegal in a lot of places to do this. If you did this, then you would be guilty of a crime and that could be used as leverage for you to select other vendors of this company in order for your reputation to be kept clean. Even if it wasn't illegal, it is unethical and it could still be used against you.

We in the industry already do a similar dance now, albeit on a much smaller scale. We attend conferences, go to events, etc. put on by vendors or sponsors. Sometimes we win raffle prizes, or accept booth giveaways, etc. I have never selected a vendor because of conference swag and haven't known anyone to do so.

People ask, "Why go to these events then if the appearance of impropriety may hang over you if you accept these small gifts?" Often times at these sponsored events the group of peers will ask each other "What do you think of vendor X" or "have you ever used vendor X?". You get varied opinions of that vendor and maybe learn about some new vendors as well. You get to talk with your peers and sometimes get the real scoop on these vendors/products instead of just the marketing hype. You can make lifelong peers and friends and build out your network at these events. So there is great value that can be obtained at these events other than trivial promotional swag.