The Big Interview: BNP Paribas's Cyber Risk Leader Ramy Houssaini

On cyber risk, synthetic data, architectures, gardening, and more...

The Big Interview: BNP Paribas's Cyber Risk Leader Ramy Houssaini

Ramy Houssaini has led Privacy and Cyber risk for one of the world’s largest banking multinationals since 2017 – a position with significant strategic responsibility – but started his career at the coal face developing anti-fragile software for highly resilient telecommunication infrastructure at Motorola.

That role “gave me the opportunity to collaborate closely with engineering products and operations teams” he recalls. Bridging the business and technology worlds has been his métier since: “I’ve always been in roles where I acted as that translation layer between what the business requirements and strategies were; and then what the actual engineering controls and infrastructure considerations should be… I took the view early in my career that ‘cyber’ doesn’t exist in isolation; it is all about business enablement” he notes, adding that “probably the most secure computer [after all] is a turned off one that serves no business purpose.”

Asked if this “bridging” has got easier over the years, as the way in which tech can move the commercial needle -- and broader awareness of cyber risk -- rise up the board and the C-Suite agenda – he comes up with a considered, but slightly unexpected response: “I actually feel that there's been more effort from the business community; product leaders and strategists, CEOs, the board to understand the world of technology… than technologists really [making that effort to understand] what their business context is, and trying to really formulate the adequate architectural strategies to support that” he muses on a Zoom* with The Stack.

Follow The Stack on LinkedIn

“There are of course, some sectors and some environments where that symbiosis exists and it's a perfect balance. But if I were to talk in aggregate terms, I think that you now see boardrooms and management teams more comfortable talking about technology. But if you go to your typical technology organisations, you still have an insular view of the function. And that”, he emphasises firmly, “needs to change…”

Ramy, who marries an affable manner with what’s clearly an operationally focussed mindset when it comes to risk, data, and security, has worked in cybersecurity for two decades, with stints as security practice lead for BT Global Services and head of the cybersecurity practice at Accenture. (He followed his first degree in computer and electric engineering  at McGill University with a master’s degree in management of information systems at Northwestern, then an MBA at Duke University.) As he puts it, "i’s been educational to get perspectives from different industries. It helped round my thoughts but also acquire some battle scars.”

Scars or not, he clearly enjoys the work: “My favorite part of this work is the tight-knit community and cross functional collaboration, even between competitive companies. The relationships and camaraderie really make the work fulfilling and creates lasting friendships. Another aspect I love about this career is every morning when you get up, there is something new happening. The TTPs hackers use haven’t dramatically changed over the last decade, but the attack surfaces, how the techniques are applied are always evolving.”

Ramy Houssaini: My Top 3 Priorities for 2022

Although the work can be fulfilling, it can also be intensely demanding. Burnout is increasingly rife across the industry, as is churn. Spend more than five minutes on Twitter and you will encounter an information security professional dreaming about becoming a farmer, artist-- or any other role that doesn’t involve computers.

Asked what his three priorities for 2022 are, those pressures are something that he’s quick to reflect on.

“My first priority is taking care of my team” he responds:

“One of my lasting insights from the last two years is that while we are all in the same storm, we are not all in the same boat. It might feel like we’re in the same crisis, but the realities and demands of this crisis are so very different for each individual.  We have to keep reminding ourselves that everyone has different needs. So a key focus for me is how to better understand the mental and physical toll that the past two years have created for the team and create the conditions for everyone to recover and thrive.

"My second priority is staying close to what is changing with increasing cloud services adoption. As APIs and cloud technology become more interoperable, we need to figure out how to leverage automation and turn the security programme to services that just integrate into these technology landscapes rather than focusing on manual inspections. And my third priority is shaping the customer experiences of the future: reducing complexity and improving usability of controls/rail guards while enabling an improved experience for internal and external customers. This also means turning cybersecurity and privacy into a value generator for the company…”

The toughest challenges…

The rapidly evolving cyber realm makes for some complications. He picks out two key challenges.

“One of the main challenges facing cybersecurity teams today is the increased complexity associated with operating and managing a multitude of security controls. This is difficult for two reasons: first the telemetry generated by the various controls creates noise that requires significant processing in order to capture the key weak signals and filter out false positives. This can explain for example how some recent deep breaches took a while before the initial signals detected led to a clear confirmation of the attack.

“Second, the proliferation of point solutions forces the specialisation of the cybersecurity workforce and limits their end-to-end understanding of the cybersecurity posture of the organisation” he says.

“Against this context," he notes by email, "the optimisation of the array of controls and its alignment to a clear security architecture becomes more challenging. The downstream impact is a significant unsustainable increase of security operating costs and the loss of a risk-based focus in managing cybersecurity…

"The other challenge that has been amplified by the recent pandemic is the need to reinvent the operating model for cybersecurity to account for an expansion in an organisation’s digital footprint, and the constraints of performing key cybersecurity activities (eg. forensics) under unusual conditions. These changes will induce a re-orchestration of capabilities (more distributed) and a rethink of the security supply chain to introduce more dependencies on external providers. This in itself further increases the importance of improving the management of third-party cyber-risk and adopting a more ecosystem driven approach” – something, he notes, which “remains difficult even for the most mature organisations.” (Particularly as software supply chain risk continues to grow.)

Security as an enabler…

“Philosophically,” he adds however, “security should never be in a position to say ‘no’.

“Solving a security problem is fundamentally an engineering challenge. It's about really demonstrating the art of the possible; it's about coming up with innovative approaches, and not necessarily mechanically applying a checklist and leveraging the checklist to say, ‘this particular control contradicts this particular configuration and hence, the answer is no’. Maybe we are not asking the right questions, maybe there is an innovation out there in terms of an interesting approach to address the fundamental requirement, while complying with whatever controls we would like to adhere to. So I'm a strong believer in the need to not adopt a checklist approach when it comes to security, but actually think about every challenge as an engineering problem.

“That means deploying some ingenuity and coming up with the appropriate solution. When it comes to privacy, we now have some very interesting innovations on privacy-enabling technologies that allow us to maintain certain flows, while ensuring the confidentiality and the integrity of the information. It's really up to us to leverage these technologies to our advantage and find ways to say ‘yes’, more often.”

Pressed for a hard example, he mentions synthetic data, as one, noting: “A lot of problems can be solved by leveraging sometimes synthetic data. And [yet] synthetic data adoption is still very low in a lot of environments. You can address constraints around R&D and innovation by leveraging such data.

“And if we want to ensure that we are reducing the risk of duplication of data; that we're very clear on what the asset inventories are we're able to enforce things in a more natural and less complex way [we have to think about] usability of the controls. That ties into something really important: the customer experience. We shouldn't be thinking about what do we do in isolation from how the customer is experiencing that particular product? And how can we make security become an ambient control, rather than something in the way?”

Demystifying security for the boardroom

Thinking about customer experience is important. So is the board and Ramy Houssaini has been deeply involved in establishing a new training programme for board members on cybersecurity, that is being run by the DCRO Institute -- a nonprofit that brings essential risk governance expertise to the boardroom and C-suite.

“Cyber is just like any other business risk," he explains to The Stack. "Cyber-risk is an evolving landscape and changes with M&A activity, [the] bringing [of] new products/capabilities to the market… Board members today need to understand this strategic use of technology and ensure that the management team is properly deploying technology to enable the business to succeed while being able to translate cyber-risk and the complicated data beneath it into business risk decisions. For this to happen, they will need to be equipped with the right knowledge and understanding of the issues. This is the vision for the programme.”

Top tips for peers?

What else has he learned in his journey to-date about building strong security programmes?

“I would say invest in actionable Intelligence based on a clear security architecture and not in security silver bullets", he says, clarifying that "by Intelligence I don’t necessarily mean Threat Intelligence but rather the overall improved understanding of the cybersecurity posture and the capacity to make clear and measurable improvement in cyber-resilience. This usually requires the integration and analysis of several signals and the rationalization of the tooling to ensure that obsolete controls, that usually are a source of distraction and operational overhead, are phased out to the favour of more effective ones. The prerequisite for this is to have a well-articulated security architecture and the associated technology roadmap.

"Having the discipline to invest the time to carefully study the environment and design fit for purpose controls instead of blanketing the organization with ineffective controls would pay dividends. Vendors [also] need to understand the context of their prospective client and the principles guiding their security architecture to then position their solution/platform in alignment and offer the adjacent benefits such as replacing a full stack of existing controls, enabling frictionless security and enhancing the quality of decisions that CISOs and Security engineering teams could be making to improve the cyber posture of their organizations. Emphasis should be placed on how the platforms enable actions and how they integrate in the operational fabric.”

Building a strong security team…

Ultimately an improved security risk posture is a team sport, Ramy Houssaini emphasises: “Cybersecurity skills density across  the enterprise is more important that the number of people in the security organization. This is an important design consideration for a security team that recognizes that security is a team sport requiring the engagement of several stakeholders across product teams, engineering, operations, control functions and the business. In practice, it means ensuring that the extended security team is looked at comprehensively to understand the existing capabilities and the ones requiring rebuilding/reinvigoration.

"As for the setup of the teams, there needs to be a balance between the operational responsibilities, the advisory ones and the risk management & control ones. This has implications on the diversity of the profiles needed to ensure a full spectrum coverage for the multi-dimensional accountabilities of the Cybersecurity organization. An important consideration is to embrace a service-based orientation. The teams should be structured on the basis of a clear service catalogue that codifies the expectations and deliverables as well as the engagement and collaboration required with other stakeholders. This will further improve the clarity of the teams on their objectives and also allow external partners to better understand different engagement models."

This is a world away from some of the highly reactive security programmes that sometimes proliferate in large organisations. Where and how does he get time to step back from the flurry of daily tasks we all have and ensure he is thinking strategically about how teams and architectures are structured?

His answer sounds faintly apologetic, as if we had expected him to be doing something esoteric with a Raspberry Pi: "I actually like gardening... I think that we deal with a lot of abstract concepts [at work]. And sometimes it's important to find some sanity in doing something where you can see more immediate results right away. Gardening brings me serenity. That's my way of managing stress -- but also a passion.

And with that he's off to role up his sleeves: whether to cultivate a fruit tree or a data project, always trying to approach the outcome with a clear design and architecture in mind.

*The interview involved a Zoom call, as well as written questions. We have drawn from both for this article.