As the banks are becoming digitally evolved, it dovetails into organisations getting more interconnected with each other as a result, data, IP, transactions, etc., gets shared using technology tools. In such a scenario, banks have to adopt a wholesome security approach to safeguard the interest of the customers. It not only requires securing the organisation’s IT infrastructure but also that of the entire ecosystem.
What has changed, after the wave of digitisation that is spreading fast, is the new threats, which didn’t exist before. The API web getting created around institutions needs breach protection as the digital supply chain players are highly connected. A malware infection in one part of the system can have a contagion effect across the board; data leakage in one institution can affect its partners and also customers to an extent.
There are technical solutions available to neutralise these deficiencies. But the fundamental issue is not with selecting the technologies, but the mindset. “Some supply chain players may be hesitant in sharing any security related information updates, which may be due to various reasons, however, information sharing and collaboration is the key. In case an incident happens in one part of the system, the partners should be willing to share the same with the entire ecosystem. This process needs to happen seamlessl,” says Ashutosh Jain, CISO, Axis Bank.
Communicating with the board: Keep it simple
The Board understands the need for strengthening the security system at all levels. The need for strengthening the IT security has never been an issue. “The Board understands the requirements. CISO’s prioritisation and what delivery matters the most. Generally the boards of all financial institutions are concerned about the readiness of their respective companies. Board members are curious about the time frame required to plug any cyber security gaps, as are general breaches are made known in media or otherwise. In such cases, it is better to avoid communicating the technical complexities and keeping it simple for Board and top management briefings,” states Jain.
“The plethora of emerging technologies are now so advanced that the real challenge lies in understanding and dealing with the complexity of the emerging technologies and the risks germinating from them,” adds Jain.
Changing role of CISO
The CISOs should continue to remain technically focused and keep up to the speed with the organisation’s business topology. Some of the skillsets, that will be in demand in the security industry include security operations, threat modeling, data scientists, who have the knack to extract or decipher the threats which are low and slow, etc. Generally security professionals should choose to specialise in one of the three mindsets, i.e. risk, security or audit mindset.
Whenever any organisation suffers security incident, big or small, the leadership and technical preparedness always get tested. The emergence and evolution of new technologies, especially public cloud, community open source, etc., also brings along with them the challenge of speedy and sound investigations, in case of a breach incident. Lack of well-rounded understanding of these technologies may be big impediment for security professional in-charge of such investigations.
The CISO is also responsible for continuous monitoring in organisations. The CISOs should move the needle from basic risk approach to an advanced threat discovery mindset, to look for specific opportunities of data leakage, malware infection to save the reputation damage.
Different organisations have different teams for conducting audits, which should work hand in hand with IT and CISO to ensure alignment of priorities and hence results.
Ethical hacking as a means for discovery of general controls weakness will continue to be used by CISOs. It’s generally being conducted across the financial industry and has proved effective over the years. It has been successful in highlighting the vulnerabilities, which remain undetected in the regular testing cycles. However, the practice should be done with caution.
India is emerging to be a promising country for security startups. DSCI has played a major role in introducing them to the corporates. Indian startups are doing well in the area of malware detection, honeypots and deception technology, security analytics.