(This is the first of a regular series of features that outline a typical day in the life of a chief information security officer, who are at the front lines of defending organizations against the rising tide of cybercrime.)
Robert Ganim has worked as the chief information security officer and information technology key risk officer at Mizuho Americas since early 2016. He has over 25 years of experience as a risk and control specialist in cybersecurity and information technology.
Prior to joining Mizuho, Mr. Ganim worked as the first CISO role at Neuberger Berman, a global asset management firm. Previously, he developed and directed the IT audit functions at multiple firms, across several industries including financial services, telecommunications, and health-care insurance.
Wakeup: Watch the news to determine what, if any, world, domestic or financial events may have an impact on my company or industry
Check email for important communications sent from head office personnel in Tokyo
Drive to the local Long Island Railroad station. For the past 10 years I’ve had the pleasure of being part of an informal daily gathering of like-minded sports enthusiasts who are happy to discuss any sport, team or game that has occurred anywhere within the last 24 hours. Our only standing rule is that there is to be no talking once the train rolls in. That sacred time is reserved for only two activities: work or relaxation. I choose to review/reply to any additional emails requiring my immediate attention. A CISO must stay ahead of the volume of emails he receives as it is not unusual that I receive between 150 to 200 emails on any given day.
Arrive at desk. Review to-do list and planned activities for the day.
Meet with the newest information security officer, or ISO, team member to discuss goals and expectations for the position.
Meet with my ISO team to review and analyze a legacy process and determine updates to be made to enhance security and efficiency.
Assess project status documents for a key project underway in the organization to enhance the information/cyber security program. A thorough review of all details, timeframes, resourcing proposed, vendors used for support is conducted.
Talk with the head of information security in our London office about an upcoming Mizuho EMEA Information Security Summit, for which I will be presenting an overview of the Mizuho Americas Information Security program. I want to ensure that the topics are pertinent to all global attendees.
Call with IT coordination personnel to discuss the process for collecting needed Key Risk Indicator data and reporting format.
Lead discussion on the General Data Protection Regulation, a new European regulation to be implemented in 2018. Determine the impact to my organization and which, if any, additional controls are required. The need to involve internal compliance and data governance personnel, and possibly external counsel, is acknowledged. Our goal is to not just meet, but to surpass, any regulatory requirements
Discussion with internal audit team on a proposed information security related audit finding to fully understand the issue and reach agreement on the potential risk noted, and the development of an appropriate and prudent action plan.
Meet with consultants assisting on the development of a new information security risk assessment process. Ensure my goals and expectations for the process are being met and the project is on target. The process flow and question set are refined. I asked for enhancement to the documentation available for the team conducting the exercise.
Lunch at desk while reviewing resumes received from my human resources recruiter for an open Information Security Officer position. Although I scan the resume for a specific skillset and experience level, it is imperative that any ISO candidate exhibits certain qualities including: a customer-first attitude, an innovative spirit; a consummate team player, and a passion for what we do. Not surprisingly, these very same core values are out guiding principles at Mizuho. These personal attributes are fundamental to the success of any information security professional. I contact the recruiter to discuss my thoughts.
Call with the consulting firm assisting us with additional KRI development to assess progress, ensure that the roll out of the project is meeting/exceeding expectations, and the project is on schedule.
Weekly status meeting with my manager, the chief risk officer, to report on the progress of key projects and any issues requiring his attention. This feedback and his perspective are essential to keeping information security priorities in line with the risk appetite of our organization.
2:30- 2:50 PM
Generate a new slide which highlights information security progress on a new key initiative to be shared at the next Mizuho board meeting.
Coffee time! Head down to the lobby coffee shop. While on line I bump into an old colleague from a prior job. We spend a few minutes catching up and plan on scheduling lunch in the near future.
Discussion with the head of operational risk management regarding a recent addition to our monthly risk reporting process which is designed to streamline and improve information security and information technology risk reporting.
I am notified of a cyber incident at one of our vendors. I contact our CIO and ask his team to conduct further assessment and analysis of any potential impact to our firm. Held a call with the vendor to discuss the issue including the scope, any impact to my firm, as well as the cause and response. I am relieved to hear that there has been no impact noted for my firm but I will arrange a call to further investigate the cause and effect of the incident, and the vendors post-mortem process.
Call a vendor we have used in the past who has contacted us regarding a new product which might be a good fit into our existing toolset. Sounds promising so I suggest a demo to be coordinated with my team and our security engineers for further evaluation.
Notification from a senior C-Level executive of a suspected phishing email he received. After analyzing the email, I inform the executive that it is a false alarm. I express my thanks to him for following the protocol my information security team put in place.
Meet with my team to explore a new and improved assessment process to determine adherence to a new information security policy we just issued. Instruct team on goals of the process, get feedback on initial thoughts, advise on the timeframe needed to accomplish the task.
Review any open and To-Do items that cannot wait until tomorrow. Revise and update action plan for tomorrow.
Walk to Penn Station.
Hop on the LIRR. The long and often delayed LIRR commute home can be a silver lining to this CISO’s day as it provides ample, uninterrupted time–a CISO’s scarcest resource–to review and answer any outstanding correspondence of the day.
Arrive home and feeling blessed to spend the evening with my wife and family.
For more information on WSJ Pro Cybersecurity, please visit https://buy.wsj.com/wsjprocs