In this episode of Inside the CISO’s Office, Justin Hall and I talk with Sandy Kapoor, former CTO of Mizuho Securities USA, about the unique challenges of balancing security among a CTO’s broad scope of responsibilities. Kapoor delves into the self-reflection that needs to happen within a business before establishing key risk and performance indicators and the importance of operational visibility in achieving excellence.
How does your organization prioritize risk?
A CTO’s responsibilities cover a lot of territory—enough that addressing every goal at once is impossible. In that environment, understanding the fundamentals of your business can help you to establish your priorities. “You can’t really prioritize,” said Sandy, “until you know: who are we?”
Sandy outlined three key questions he seeks to answer before prioritizing security objectives. Those are:
- What business are we in?
- In that business, what are our most important assets?
- What is the likelihood of threats to those assets?
Two of Sandy’s most critical assets in the financial services industry were material nonpublic information (MNPI) and the source code for the firm’s trading algorithms. The third critical asset was the firm’s day-to-day operations.
Once you establish your most valuable assets, you can structure your security strategy around protecting them. For Sandy, that meant a layered approach, both in the timelines of his security goals and in their implementation. He began with the ambitious and mission-critical goal of data classification and highlighted the importance of achieving near-term KPIs to raise morale and maintain momentum.
“[Data classification] can take a year. It took us a year to get through all of that,” said Sandy. “You can’t just sit on that one project. So that’s when you start thinking about prioritizing and getting small wins. So, while you’re working on this big, difficult project, you can worry about… The general business operations domain. And for that, you could have many, many small wins.”
Using e-mail security as an example, Sandy also discussed “defense in depth”–the practice of layering security solutions from different vendors so that each can backstop the other in the event that one has a blind spot.
Prioritizing risk requires understanding the core of your business and allowing your most valuable assets to guide your security roadmap. But don’t succumb to tunnel vision—diverse solutions and short-term wins keep your security strategy sustainable.
Also read: Cloud security controls that help mitigate risk
Key risk indicators, key performance indicators, and regulations
Completing strategic projects is only the first step in improving information security. Operationalizing the new functions and processes presents a different set of challenges for a CTO. In that vein, I asked Sandy which key performance and risk indicators he had found most valuable in managing the day-to-day progress of his technology team.
Sandy cited four metrics that he found especially enlightening for his technology operations:
- Length of time to provision a new hire: “My target was three days at the maximum… If you’re managing your internal clients and servicing your internal clients well, it’s a reflection of what you’re going to do with your external clients.”
- Password reset requests: “It’s such a small little thing in the whole scheme of things, but it tells me, ‘How well are we utilizing it?’… How do you then look at those statistics and say, ‘Alright, you know what, these four applications, we really need to migrate [them] to SSO.’”
- Actionable security incidents vs. total security incidents: “You’ve eliminated your false positives, you’ve eliminated your ‘anomalous but safe’ [incidents]. Now, you [only] have the incidents that require investigation. So if that ratio—your number of actionable incidents versus total incidents—is going higher and higher, it means you’re doing a great job tuning your alerts.”
- Endpoint vulnerability: “What percentage of my externally facing devices were fully patched or had the least critical vulnerabilities? That’s another really important metric for us in security to focus on because that’s your biggest risk as well.”
Metrics and regulations represent two sides of the security coin. Compliance regulations, such as the MNPI rules Sandy dealt with in the financial services industry, shape the design of security systems, while metrics guide how those systems respond to threats. I asked Sandy how he balanced his team’s focus between the two.
Sandy stressed the importance of separate, dedicated resources for projects and for operations. “I tended not to worry too much about regulations because as long as I resourced it well and I had the right budget, those tended to get done. The hard part was once those projects got done, you wanted to make sure it got done well, so it wouldn’t become an operational burden once you finished the project. For me, to be honest, most of my focus was on operations.”
Complexity is the enemy of security.
Sandy Kapoor
Operational excellence vs. operational visibility
For Sandy, the key to operational excellence is operational visibility. Enterprise security tools provide a wealth of data about threat events, but the challenge isn’t only collecting data—it’s finding the signal in the noise. Consolidating the insights of a full suite of security tools and deciding how to respond are core challenges for operations teams.
To create clarity, Sandy again relies on foundational conversations within the business. Key risk and performance indicators provide the most value when aligned with overarching business goals—and when consensus exists within the operations team. Avoiding stagnation is also essential, because the security landscape is constantly shifting, it’s crucial to reevaluate these metrics regularly.
Operational visibility is the foundation of operational excellence. Security teams can and should iterate on key performance and risk indicators in light of new data, team goals, and strategic business objectives.
Also read: Secure cloud networking in 2024 with SASE and SD-WAN
Information security touches every aspect of your technology roadmap
As you consider the key risk indicators and the future of cybersecurity in your organization, CBTS can partner with you to identify and minimize your risks. From security consulting to fully managed security services, CBTS provides the experts to support you in the way that best matches your business needs.
Contact CBTS today to schedule a security assessment.
