Email security is one of the key areas for 2019, says Naga Mallikarjuna Rao Junnuri, CISO, Syndicate Bank

Please explain some major changes the banking sector has undergone in the last two decades
We may treat the present state and progress of digitisation as a major disruption in the BFSI sector. In a few years from now, the brick-and-mortar banking may pave way for online banking in its totality. As far as major changes are concerned, that banking has undergone in last few decades, banks first introduced standalone ALPMs for transaction processing and continued with them nearly till 2000. Core banking solutions were launched during 2000 and the process was completed between 2008 and 2010. More ATMs were installed and card transactions had increased. Meanwhile, banks offered internet banking as a product.

NPCI came into being in 2009, and by 2011, mobile banking took-off with the emergence of apps and the ease of use thereof. RuPay cards were launched – thanks to the impetus given by the government. Due to the role played by NPCI, there is humongous increase in digital transactions. For example, the transactions through the BHIM UPI app have exploded and recorded a whopping transaction amount of over Rs 1 lakh crore in December 2018. The disruption started in 1991 through reforms, and the banking industry witnessed second disruption during the decade 2000-2010. Now, we are in third stage of this cycle of process maturity. This will continue, and we will see much more of this in the future.

In the wake of recent breaches, do you think there was lack of accountability; and do you think that automation is possible?
Accountability is a specific thing, limited to the incident. Sometimes, accountability can’t be fixed, particularly in the case of systemic breaches. In the wake of sudden explosion of digital products and services, it is an overwhelming task to come out with security products to mitigate each and every attack. Residual risk is like a remainder after putting in place all the security controls.

Automation is possible to a great extent. Going forward, AI and data analytics will play a major role in security operations. However, we will have technology at one end, and people who are considered the weakest link, at the other end. Complete security is a myth and not possible in real world.

What are the challenges faced by CISOs on the InfoSec front?
The greatest challenge that CISOs face now, is ensuring cyber security – security of web facing systems and processes, and critical infrastructure of the organisation. Within this, the challenge is imbibing security culture at all levels which include all stakeholders. It is not easy to alter the default behaviour of employees or customers. Unfortunately, basic cyber hygiene is lacking in the industry. CISOs should develop themselves as influencers, so that others will look up to them. Another includes continuous evolvution of complexity in technology. Incident response in such cases is challenging due to the increase in number of security breaches in new ways, where putting up defence to ward-off/ mitigate each and every security incident is not possible.

While the wave of digitisation is shaping the future of businesses, it’s also bringing the challenge to robustly secure the very critical customer facing and the native IT infrastructure; please share your views
The digital world is moving rapidly and is challenging the security domain to keep the pace. When new digital products are launched, they certainly have a deadline for the launch. During this stage, security takes the backseat. Then over a period of time, security solutions are put in place. Even AI takes some time to self-learn and secure; the initial period is unsecured and vulnerable. To address this, security should be part of software development as well as deployment. Further, defence in depth approach should be adopted and managed on continuous basis for critical applications and native IT infrastructure.

What are some of the best practices to be followed to maintain a robust IT security posture?
The best practices start from having a direction in the form of robust customised security policies and procedures in place. Even the frameworks prescribed by the regulatory authorities are to be looked at from the relevance point of view of the organisation. Security should be practical and aligned to business objectives. A risk-based approach to security should include well informed and cyber hygienic people, clear and implementable process and manageable technology.

In which areas of the banking industry, technologies like AI can be useful?
The banking industry is customer centric, where performance is crucial. With the help of importance-performance matrix created by AI, banks can make intelligent investments where it is required the most. Banks can deliver more with well deployed investments which may have a positive impact on their bottom-line.

Do you think there is lack of awareness, due to which the insiders are not following the security hygiene practices?
Yes, this is one of the major areas of concern. We may call it as an issue of ‘security culture’. In the past decade, the industry has invested in and deployed technology operations for businesses. Their work culture does not include security culture. Now, as breaches are on rise, it is high time to adopt a two-pronged approach. On one side, security practice should be made mandatory for all, having as far as possible centralised security control to minimise insider threats. Whereas on the other side, year-long calendar should be in place for imparting user awareness and security hygiene practices.

Are CISOs getting enough in terms of IT budgets?
Since 2016, banks have deployed various technology products for securing business from cyber risks. RBI’s Cyber Security Framework was the guiding force behind these investments. Largely, these investments have helped banks in pulling together various security processes in silos into a cohesive practice for enhanced monitoring and understanding of the overall security posture. The next thing to do is to get the best out of these processes. However, as investment on security is a continuous thing due to the high obsolescence of technology in use, IT budgets will definitely increase, where the implementations are required and mandatory. But getting enough is again confined and specific to the needs and affordability of the organisation.

What would be the top trends for 2019?
We may see increased automation on the security front. Banks may upgrade cyber security using ML and AI, and prioritise data security. Breaches may continue due to lack of awareness, cyber hygiene, attribution and accountability. File-less, self-propagating malware may be on the increase. More and more companies may transfer their risk in the form of cyber liability insurance. Furthermore, email security is one of the key trends for 2019, as phishing will continue to dominate the threat landscape.