Security BCP Business Continuity

TechTarget interview around aligning Crisis Management and Business Continuity with the control structures of the organization.

All CISOs have responsibilities and pressures that make the job fun, interesting and sometimes a bit terrifying. But consider the world of John Masserini. As CSO at MIAX Options Exchange, he is responsible for information security, physical security, business continuity and privacy for the company. MIAX Options has assembled a team with deep-rooted experience in developing, operating and trading on options exchanges. Its trading platform was developed in-house and designed from the ground up for the unique functional and performance demands of derivatives trading.

MIAX Options now lists and trades options on over 2,700 multilisted classes. The company’s unparalleled system throughput is approximately 38 million quotes per second. The average latency for a single quote on MIAX Options is approximately 17.38 microseconds for a two-quote block. Disruptions are not only unwelcome, they are practically unthinkable. Oh, and in his “spare time,” Masserini has been known to coach lacrosse and is an avid baker and wine connoisseur.

Your organization must face an unusually complex and high-stakes threat picture. How do you develop and implement your defense strategy?

John Masserini: There are two critical factors to consider when developing a strong, but flexible, approach to securing an enterprise. First and foremost, the strategy must be driven by the business goals of the organization, not by the technical need for the latest and greatest tool sets. Focus on the technical infrastructure of the various revenue streams, and you’ll quickly gain an understanding of the risks to the bottom line.

Once you understand the potential revenue impact posed by the lack of controls, you’ll have a clear vision on a tactical and strategic approach for the security program. The second consideration should also be a way to measure the current state as well as the expected end state once the program is up and running. A favorite of mine is the SEI CMM [Software Engineering Institute’s Capability Maturity Model], which measures program maturity on a scale of one to five. Start with the basics of the NIST Cybersecurity Framework as a baseline, measure your maturity using SEI CMM against it, and you’ll likely end up with some very clear directions on where to start.

Read the full article here:

Copyright © 2002-2024 John Masserini. All rights reserved.


Leave a Reply

Your email address will not be published. Required fields are marked *

Chronicles of a CISO