Kapil Assudani Strategizes for Stronger Security

Kapil Assudani knows it’s not enough to be smart. Raised in India, the second most populous country in the world, “you pray to get into a decent school even after scoring 90 percent on an exam,” says Assudani, now a cybersecurity expert and the chief information security officer at Edwards Lifesciences. Instead, he has learned how to thrive in an ecosystem that centers on the philosophy of “survival of the fittest.”

When Assudani was accepted into the University of Missouri–Kansas City to pursue a master’s in computer networking, he arrived in the United States with $6,000 in his pocket and absolutely no background in computer science. That experience definitely “put his survival instincts to the test,” Assudani recalls, and instilled in him the importance of resilience and discipline. But it was when he landed his first position in the US that his eyes truly opened to the realities of the field he had chosen.

“I worked for this guy who was really, really smart but was a sort of knowledge-hoarder,” Assudani says of that first position. “He wouldn’t share any knowledge or even let me access some of the systems as a job security measure.”

“But my CIO dropped in one day and fired him, then looked at me and said, ‘You have to handle everything now,’” Assudani continues. “I knew nothing but was asked to make it happen. I had to learn everything from scratch, and I did. As a leader, I had to take educated risks, be decisive, and willing to make tough calls.”

As Assudani has moved up through top companies such as EY, Symantec, Blue Cross Blue Shield, and Kaiser Permanente, those lessons stayed with him. His transition from a “breaker,” or ethical hacker, to a “builder,” or architect and strategist, has been marked by a need to become ever more comfortable in making decisions clouded by uncertainty. And he’s learned to master the art of decomposing complex problems into simple ones.

When you are a white hat breaker, Assudani explains, your sole responsibility is to break into a company’s network and help them identify and understand the flaws in their security system. “You are considered a hero when you hack into those companies,” Assudani laughs. “And it’s pretty easy: as a hacker, you just have to find one gap in the system and then it’s game over.”

But as a builder, Assudani’s job became much more complicated. “Unlike an adversary who just has to find one security hole and claim glory, with a security team, you have to find—and plug—each and every gap that might be there while also finding a balance with your business’s needs and operations,” he explains.

Luckily, his nearly fifteen years in the field have given him ample time to find that balance. According to Assudani, a cybersecurity program that successfully works within that balance must, above all, be contextual. In other words, the program must mesh well with both the culture of the IT team at a given company—the team’s skill sets, the individual personalities on the team—as well as the culture of the organization as a whole.

Assudani notes that these security programs must be tailored to individual teams and organizations, or they cannot be widely applied across the industry. “A lot of times, leaders try to apply the security programs they used or built at previous companies to their current organizations,” Assudani says. “But it doesn’t work, and they experience huge disconnects and pushback because of the disruption and lack of effectiveness. It’s like trying to fit a square peg in a round hole.”

The need to tailor these security programs to the context in which they are applied is also a challenge in terms of the time it takes to build a mature program. “Quality comes at a cost,” Assudani notes. Because the programs take time, money, and resources to build, security leaders like Assudani must also have a robust strategy to avoid breaches effectively and to concurrently fight the never-ending war against hackers.

“Hackers are not waiting around for us to build a mature program over the course of years,” he points out. “They’re knocking on your perimeter every single minute. So, the question becomes, how do you identify the right priorities—the initiatives that will allow you to efficiently build a security hygiene baseline—so that you have time to build a mature program over it?”

To Assudani, his biggest asset is always his team. Having the right team is critical to gaining impactful wins in a short period of time, he says, which is the best way to earn the trust of the company’s leadership and expand programs. Assudani has developed his own system for developing and strengthening his teams, which centers on organizational performance, candid and real time feedback, and establishing trust.

“Giving candid feedback in real time should be a habit, even if it’s as simple as a quick ‘kudos’ or a thumbs up or down,” he says. “Your team will appreciate this style because they’ll know what’s needed to succeed immediately rather than knowing after failing. You have to back your people up at all times—it gives them the freedom to create and innovate worry free. Ultimately, wins belong to the team, losses to the leader.”

And throughout all those wins and losses, and the constant stress test that is the cybersecurity industry, Assudani remains focused on the “great sense of accomplishment” he gains from exercising his passion for information security in the healthcare industry—especially within a cutting-edge medical equipment company like Edwards Lifesciences.

“Education, healthcare, and security are the fundamental domains that build up a nation, and I have found a way to touch all three,” Assudani says. “Healthcare is such a great cause—there is no feeling equivalent to seeing our patients come back to us smiling and telling us how they are going to live longer than they expected because of our quality products.”

As CISO of Edwards Lifesciences, Assudani remains committed to protecting that noble mission.