Information Security

Defending the digital infrastructure

Rawpixel - Fotolia

MIAX Options CSO on security's role in business continuity

Faced with the demands of derivatives trading, CSO John Masserini understands the value of aligning controls with business risk. We ask him how he does it.

All CISOs have responsibilities and pressures that make the job fun, interesting and sometimes a bit terrifying. But consider the world of John Masserini. As CSO at MIAX Options Exchange, he is responsible for information security, physical security, business continuity and privacy for the company. MIAX Options has assembled a team with deep-rooted experience in developing, operating and trading on options exchanges. Its trading platform was developed in-house and designed from the ground up for the unique functional and performance demands of derivatives trading.

MIAX Options now lists and trades options on over 2,700 multilisted classes. The company's unparalleled system throughput is approximately 38 million quotes per second. The average latency for a single quote on MIAX Options is approximately 17.38 microseconds for a two-quote block. Disruptions are not only unwelcome, they are practically unthinkable. Oh, and in his "spare time," Masserini has been known to coach lacrosse and is an avid baker and wine connoisseur.

Your organization must face an unusually complex and high-stakes threat picture. How do you develop and implement your defense strategy?

John Masserini: There are two critical factors to consider when developing a strong, but flexible, approach to securing an enterprise. First and foremost, the strategy must be driven by the business goals of the organization, not by the technical need for the latest and greatest tool sets. Focus on the technical infrastructure of the various revenue streams, and you'll quickly gain an understanding of the risks to the bottom line.

Focus on the technical infrastructure of the various revenue streams, and you'll quickly gain an understanding of the risks to the bottom line.
John MasseriniCSO at MIAX Options

Once you understand the potential revenue impact posed by the lack of controls, you'll have a clear vision on a tactical and strategic approach for the security program. The second consideration should also be a way to measure the current state as well as the expected end state once the program is up and running. A favorite of mine is the SEI CMM [Software Engineering Institute's Capability Maturity Model], which measures program maturity on a scale of one to five. Start with the basics of the NIST cybersecurity framework as a baseline, measure your maturity using SEI CMM against it, and you'll likely end up with some very clear directions on where to start.

From your vantage point, what current threats or other cybersecurity issues do you think are or should be of greatest concern to CISOs?

Masserini: Unfortunately, it's the usual suspects -- phishing, credential abuse, excessive privileges, watering hole [attacks], malvertising drive-bys … all pose a risk to any organization that lets email in and internal users surf the web, which is everyone. Over the years, countless millions of dollars have been spent on perimeter security. But the hard facts are that, most of the time, a simple phishing email works better than trying to find that one open hole in an external firewall or application.

John Masserini, CSO, MIAX OptionsJohn Masserini

Legacy training methods have done little to educate the users. Many of the successful phishing attacks seen these days are very well crafted and could potentially fool even the most careful users. Endpoint controls have been moderately successful in blocking these attacks, but managing user access is key. From controlling privileged accounts to removing local admin to modeling user behavior -- all should be leveraged in an effort to minimize the risk introduced by means of the user community.

Are there any things at MIAX Options that you think you do differently from most CISOs?

Masserini: One of the approaches that has really helped me over the years, and one that is often overlooked by CISOs, is the value the business continuity plan can bring to the security program. By definition, that plan focuses on the continuity of the business -- not the continuity of technology, where many security programs falter. By understanding the revenue generation processes, which are identified and protected under the BC plan, one is able to see how various applied security controls can mitigate the greatest amount of business risk with the least amount of effort. I would encourage every security executive out there to take ownership of -- and understand -- the business continuity plan as a foundation for their security program.

Article 2 of 6

Next Steps

10 tips for business continuity in the data breach age

How does business continuity fit into your governance process?

5 steps CISOs can take to retain security staff

This was last published in March 2017

Dig Deeper on Careers and certifications

Get More Information Security

Access to all of our back issues View All