Security Culture Doesn’t Happen Overnight — It’s Built with Consistent Communication : Gunjan Mody, CISO, IIFL Home Loans

In an exclusive conversation with Express Computer, Gunjan Mody, Chief Information Security Officer, IIFL Home Loans, delves into the critical importance of embedding cybersecurity into the DNA of an organisation, especially in a highly regulated and trust-driven sector like housing finance. He discusses how regulatory frameworks like RBI’s cybersecurity mandates and the DPDP Act are shaping strategic priorities, and why maintaining data privacy in an AI-accelerated world is now more challenging than ever. Mody also highlights the dual nature of AI as both a powerful opportunity and a rising threat in cybersecurity, and shares perspectives on securing digital platforms and fostering a resilient, security-first culture through leadership commitment and continuous awareness.

As the CISO of IIFL Home Loans, how do you approach building a cybersecurity strategy that aligns with business objectives in a highly regulated sector like housing finance?

Cybersecurity strategy for any regulated company, not just IIFL Home, starts with basic regulatory or contractual requirements. Thankfully for us, RBI being one of the front runners in adopting and enforcing various cybersecurity requirements and our cybersecurity strategy incorporates all regulatory requirements.

Given your experience in the housing finance industry, what unique cybersecurity challenges does this sector face compared to other financial institutions?

This challenge is not unique to the housing finance industry but applies to the entire financial services sector. I strongly feel that we have been operating in a very traditional manner and by traditional, I don’t mean the use of manual or paper-based processes, but rather the way we use data to deliver services. Today, if a business department wants to launch a new product or target a specific user segment, they rely heavily on analysis reports generated by data analytics tools. The real challenge lies not in the usage of such tools, but in ensuring compliance with data privacy regulations. Are we certain that the data being analysed has been consented for such use? Consent under the Digital Personal Data Protection Act (DPDPA) must be specific. If a user has not consented to data analytics, that data cannot be used in analytical processes. In my view, the biggest challenge for the financial services sector right now is the implementation of the DPDPA—and this will take time to fully mature.

How do you ensure a security-first culture across all levels of the organisation, especially in a sector that relies heavily on customer trust and regulatory compliance?

A security-first culture in any organisation doesn’t develop overnight—nor is it possible without strong buy-in from top leadership. One of the most effective ways to build this culture is through consistent communication and awareness. It’s important to regularly highlight the importance of security, engage with teams and business units, and continuously test whether the message is being understood and absorbed. In essence, fostering a security-first mindset requires ongoing dialogue, reinforcement, and leadership support across the organisation.

What steps is your team taking to address evolving data privacy regulations, especially in light of the DPDP Act and RBI guidelines?

We have already done a comprehensive gap assessment w.r.t. the Act and RBI guidelines. We have already called out the actionable, and we have the necessary budget and management buy-in. We are not prioritising our actions to get the controls implemented including design or our policies, procedures, implementation of necessary tools, etc.

Generative AI is transforming multiple industries — how do you see its impact on cybersecurity, both in terms of new risks and opportunities?

AI brings with it both opportunities and new risks. Let’s begin with the opportunities, which are numerous when it comes to implementing AI in cybersecurity environments:

1. Threat detection: We all have SOC / SIEM setup and we get a lot of data which needs to be analysed or acted upon. Doing this manually or relying just on pre-defined severities is death of your SOC setup. AI can help in detecting anomalies, patterns that could either resulting in data loss or resulting in identity breach.
2. Automating mundane tasks: AI can automate tasks that are manual, repetitive, and time-consuming. Example doing your monthly VA, generating that incident report or closing port / communication which is flagged high risk.
3. Proactive threat hunting: Lot of next gen SIEM solutions now use Natural Language Processing (NLP) in doing threat hunting or doing analysis of data or writing rules. SOC analyst now need not learn YARA, Python or YAML. Results which are displayed are also reflected in plain, easy to understand English, making entire SOC operations much more easy to understand and implement.

 Now let’s talk about some of the risks that AI poses to cybersecurity. I strongly believe that while we are not yet adopting AI to its fullest potential, hackers and threat actors are. They are already far ahead in using AI to launch and customise sophisticated attacks. For example:
Phishing: Common identifiers which used to be bad English, un-customised email are now very different i.e. you are getting emails which are very specific to a person / individual. Emails look so legitimate, it’s getting difficult for even a trained eye to identify the difference.
Hack GPT: We have heard about Chat GPT which a lot of users, use to do a lot of activities. But now we have Hack GPT which is nothing but you have lot of hacking techniques, hacking codes, scripts to bypass your firewall, scripts to bypass your EDR, scripts to find vulnerabilities to target controls specific to controls implemented.
Protecting AI itself: We generally tend to miss out on the basics in the excitement of using a new tech. AI tech, if not secured properly, can result in AI models which were supposed to be used for the benefit of the organisation will be used against that. So do the basic things correctly.

Digital loan processing and customer onboarding are increasingly common — how do you secure these customer-facing platforms from fraud and data breaches?

l would like to address this question not just in the context of digital loan processing or customer onboarding, but more broadly in relation to any customer-facing or externally facing applications. In addition to the basic cybersecurity controls implemented on any application, the following measures are essential:

• Ensure the application is placed behind a Web Application Firewall (WAF).
• Make vulnerability assessment (VA), penetration testing (PT), and patching controls more stringent and frequent compared to internal applications.
• Ensure the associated supply chain is well protected.
• If the application includes login functionalities, implement Multi-Factor Authentication (MFA) effectively.
• Do not allow users to set simple or dictionary-based passwords. Many companies are now moving away from password-based authentication and adopting OTP-based login with MFA.
• Monitor the dark web and open internet for impersonation attempts, and ensure that takedown services are in place to respond promptly.
• If the application handles critical data, consider deploying honeypots as part of a proactive security strategy. It doesn’t hurt to go slightly offensive when it comes to protecting your digital assets.