“Role of the CISO is to make sure that the risks are mitigated to an extent, the product is void of any risks or is only left with residual risk. A complete risk mitigation is possible by putting forth a convincing case to the business in making them to look at the product from a risk perspective,” says Sameer Ratolikar, CISO, HDFC Bank. In conversation with Abhishek Raval
Recently HDFC Bank has launched the system for enabling the disbursal of personal loans in under 10 seconds to its current customers. This service is receiving good response from the customers. How is the Information security handled for a fast moving service as this one?
As a part of the product life cycle management, any new banking product is rolled out subject to various committee and departmental clearances. The information security group (ISG) is one of the departments. We suggest that the specific controls should be embedded as a part of the product – two factor authentication, out-of-band based authentication, transactional monitoring, right access controls etc. This results in an information security aligned product roll-out.
The bank’s ISG has a proper application framework in place. Whenever the requirement comes up from the business for rolling out a specific product for the customers, our team prepares a simulation about what kind of threats is it vulnerable to and at what levels. To be specific, the threats on the operations part, product features, etc. Look at it from a hacker’s angle; try to break the product, breach the functionality.
We develop various fraud scenarios, which is a part of the product assessment and then suggest the appropriate mechanisms that makes the product free from any vulnerabilities. At HDFC Bank, the business understands the importance of information security. If any of the layers is breached, it could turn into a lot of adversarial consequences. The business is aware of it. The appropriate mitigating measures suggested are incorporated in the product after the submission of the proposals by the ISG. It comes back to us again for further fine tuning. The business, if convinced rolls it out.
The role of the CISO or the ISG is to make sure that the risks are mitigated to an extent, the product is void of any risks or is only left with residual risk. A complete risk mitigation is possible by putting forth a convincing case to the business in making them to look at the product from a risk perspective.
We keep hearing that Information Security is sidelined in a hurry to achieve numbers: QoQ, yearly targets. What is your view on this?
I concur. At times, there is huge pressure and the information security review of a soon to be launched initiative is expected to be completed in under 24 hours! Whereas a wholesome information security review for new launches requires about 4-8 days. In that case, on that particular day, we have to pour in all our energy, time and experience on the review. In case if the original controls proposed are send back to us for further review and revision then we have to make sure that the compensating controls are as robust as the actual controls, after which the permission is granted for market entry. However, the residual risk remains.
HDFC bank leads the race in mobile banking in India. What is your approach for managing information security for the mobile channel?
Mobile banking is not very different from internet banking. The form factor changes, but the risks are more or less same. The fear of identity theft from the mobile device getting stolen is high. There are issues regarding mobile malware. Primarily, in the world of mobile device, risk-based scenarios should be created and charted out.
At HDFC Bank, we have integrated mobile banking with internet banking as far as the transaction monitoring is concerned. So, even if the credentials are stolen, the fraudster won’t be able to add any beneficiary through the mobile device. He will have to access the internet banking channel to add the beneficiary. The systems are engineered to be seamless, making sure that different form factors and channels talk to each other. We have adopted an integrated approach towards fraud management.
In order to provide better services to its clients, HDFC bank has partnered with many organisations. How can you ensure that a customer’s information is secure even when he is transacting on some other website?
The extent of partnership determines the approach we take. The ISG plays an active role under the following conditions – If it involves transactions happening through the website; whether the partner website is talking to the HDFC Bank website through API calls or web services calls; is there a customer data exchange involved, etc. We conduct a proper due diligence because they might not have the controls as robust as the bank. Our team check the websites for how frequently do they conduct vulnerability assessment, the kind of website application firewall they have, the kind of counter DDoS mechanisms and website access controls put in place.
Insider theft is something that all banks have to live with. Privilege Identity Management (PIM) is considered to be a strong tool to address this threat. Both public and private banks have evinced strong interest in PIM in the last few years. Your views.
We have a privilege user monitoring solution, which monitors the activities carried out by the privileged users. The bank is now in the process of upgrading the solution to a better version. It is also integrated with the Security Operations Centre (SOC). So on a single screen, we are able to see all the activities on the dashboard.
Is HDFC bank working on any security certifications ?
Yes, we are working on PCI-DSS certification. We hope to achieve it by December.
How is the bank using technology to manage frauds?
HDFC Bank has invested in Enterprise level solution for Digital Banking such as monitoring of NetBanking, Credit and Debit Cards & Merchant acquiring transactions with the capability to decline transactions with the fraud trend. The Bank is first to implement adaptive authentication technology for providing enhanced security for online transactions.
The ‘Fraud Action & Intelligence’ Service is another initiative of the Bank. It gets insights on emerging fraud trends around the world. The bank’s adoption of two factor authentication for e-commerce transactions on credit and debit cards helps in securing online transactions. Scoring engine to compute fraud score for each of the transactions is also done in the Bank.
We are also actively engaged with card schemes like Visa & MasterCard, external consultants in understanding the global fraud trends and accordingly risk mitigation strategies are decided.
A progressive investment on risk based solutions provides a safe & secure platform for our customers and the merchants.
In your career span, you have worked with a government agency, a public sector bank and two private sector banks. What lessons have you have learnt on the way?
In every organisation, the approach towards information security is different. There is divergence in attention, structure and budgets for information security.
My learning: Don’t take information security for granted. No matter, the necessary systems are in place, the hackers and fraudsters are a step ahead. Another learning is to have visibility of the threat landscape. It acts as a compass to structure and strategise the information security programme.
Awareness is a key learning. No matter, how strong the preparedness of IT to safeguard the systems, it’s of no use unless the employees, customers are unaware about the basic security hygiene.
Another takeaway is the importance of structuring information security. Organisations should follow the Prevent, Protect, Detect and Response (PDR) approach. The controls are designed based on these three categories and then a particular execution strategy is developed.
