Ofir Even
Connect

From Bare Metal
to Business Strategy.

Deep infrastructure roots shape how I build resilient security architectures for the enterprise and financial sectors. I don't manage risk on paper - I understand the network underneath it.

Ofir Even - CISO & Cyber Architect
0+
Years in Tech
0+
Years in Cybersecurity
0+
Years as CISO
0+
Organizations Across Sectors

Security Leadership Rooted in Technical Reality.

Most security leaders arrive from policy. I arrived from the wire. Two decades operating networks, bare-metal systems, and enterprise infrastructure means I don't abstract away technical complexity - I build security on top of it.

Currently
CISO
Citadel Cyber Security
CISO since 2017 · at Citadel since 2012
Cybersecurity Architect
Bank of Israel
Since 2014
01
Deep Infrastructure
Firewall policy isn't theoretical. It's iptables, routing tables, and packet captures at 2am. That foundation shapes every architecture decision I make - from zero trust design to SIEM tuning.
02
Enterprise Risk
Translating technical risk into board language without losing accuracy. Governance frameworks grounded in operational reality, not checkbox compliance or sanitized dashboards.
03
Financial Sector
Banking, insurance, and fintech operate under constraints most CISOs don't fully grasp. Regulatory depth meets hands-on control design - built for institutions that cannot afford to fail.

Methodologies.
Not Templates.

Developed from real incidents, real audits, and real board rooms.

01
Reality-First Security Architecture
The organizations with the most complete frameworks are not always the most protected. The gap is always in the translation to operational reality.

The first step is mapping - network topology, information assets, access vectors, business processes. Only after that picture is complete does the question of controls become relevant. Which defenses are genuinely necessary for this environment, and which were deployed to satisfy a requirement rather than address a real threat? The architecture dictates the defense. Not the other way around. Organizations that build security this way spend less, protect more, and stop investing in controls that solve problems they do not have.

+
02
Validated Risk Escalation
Not every finding is a risk. Not every risk needs the boardroom. The security function that knows the difference is the one leadership actually trusts.

Before any risk reaches the executive table, it goes through a validation layer - confirming that what was flagged is genuinely critical in the actual operational context, not just on paper. When it does escalate, it arrives in business language: clear impact, concrete options, a direct recommendation. No technical briefings that need decoding. No ambiguity about what action is required. Leadership gets exactly what they need to make a decision - nothing more, nothing less.

+
03
Operational Persistence
Security programs are not measured by what gets approved. They are measured by what gets done. When follow-through is part of who you are, it does not need a framework to function.

Every security decision becomes a tracked open item - with ownership, status, and a follow-up cadence that does not stop when the first response fails to arrive. When progress stalls, escalation is structured and non-personal. In organizations where accountability is diffuse and inertia is the default, this operational discipline is what separates a security program that exists on paper from one that actually operates.

+
04
Security Built from Both Sides
Security built by someone who has never conducted an independent audit will always have blind spots. Not technical ones. Structural ones.

Spending years as an external assessor - auditing organizations, reviewing architectures, hardening systems - while simultaneously serving as an internal security practitioner inside regulated institutions produces a specific kind of perspective. You learn what assessors look for. You learn where well-intentioned security programs create gaps that are invisible from the inside. That lens does not stay in the audit room. It shapes every architecture decision, every control design, every risk assessment. The result is not security that looks solid on paper. It is security designed to actually be defensible - under audit, under pressure, and under attack.

+

Side Projects.
Built for Real.

Things I built because I wanted to - not because someone asked.

01
EdTech · Security Game
Cyber Detective
A cybersecurity escape room for kids - teaching phishing, passwords & online safety through gameplay, not slides. Vibe-coded with Gemini. The students asked for more.
Play →
02
Retro Game · Vibe-Coded
Colt vs Sirius
A retro space shooter, built during wartime for no reason other than fun. Pure vibe-coding - concept to deployed game, no plan, just momentum.
Play →

Writing &
Publications.

Ideas that needed to be said out loud.

01
LinkedIn
No More Excuses - Your Idea Can Ship Today
How I built a cybersecurity education game for 5th graders using AI - without writing a single line of code.
Read →
02
LinkedIn
When Your Defense Tools Become the Attacker's Weapon
How attackers weaponized the Velociraptor forensics tool - and what defenders should do about dual-use security tooling.
Read →
03
PDF Download
Critical Security Tool Hardening Checklist
A practical hardening checklist for security tools in enterprise environments. Built from real deployments.
Download →