Axis Bank CISO on Security, ComplianceSameer Ratolikar: Proactive Security is the Key to Success
Proactive security is something that the Indian financial services community is slowly turning toward, tempered by the rising number of fraud incidents and threats to their business. Measuring security effectiveness and improving on established baselines have become a business mantra.
"Metrics should be the fundamental parameter using which you should measure security effectiveness," says Sameer Ratolikar, CISO at Axis Bank - India's third largest private bank.
Ratolikar also places great value on security awareness.
"In my opinion, information security awareness as a dedicated channel is going to be the most important thing in fighting fraud," he says. "This includes communicating the importance of security to the customers as well as educating the workforce. Indeed, educating the workforce is essential to inculcate a security culture within the organization."
In an exclusive interview with Information Security Media Group, Ratolikar discusses some of his top compliance and anti-fraud challenges, including:
- The information risk landscape and challenges faced by Indian banks;
- Balancing compliance mandates with business risks;
- Measuring security and driving ownership to every business function.
A firm believer in the role of the CISO as a risk manager and security thought leader in an organization, Ratolikar is a well-known figure in information security circles, and has spoken extensively at various industry forums and events. He was previously the CTO and CISO at Bank of India and has more than 20 years of experience in IT and information security.
VARUN HARAN: Please tell me a little more about your role in the organization and the reporting hierarchy?
SAMEER RATOLIKAR: I am responsible for information security across the organization, including subsidiaries and foreign centres. My role encompasses the strategic management of information security and its alignment with the business's objectives. It is part of my mandate to ensure that customer data receives an appropriate amount of attention in terms of privacy and security hygiene, ensuring business applications are securely wrapped before delivery to customers. Spreading awareness regarding security - within the organization and without - is another important aspect of my role here.
I report into the executive director in my organization, who is also a board member.
Malware, Third-Party Risks
HARAN: What are the cybersecurity and compliance concerns your bank is most sensitive to?
RATOLIKAR: Worldwide malware [strains] have become advanced and sophisticated, and tackling them requires the right security architecture and a restricted ingress-egress mechanism. Data transmission to third-party vendors for business purpose is also a point of worry, and you have to extend the boundaries of security processes and compliance.
In the kind of business environment that Indian banks function in, there is a huge set of outsourced vendors with whom data is shared. Within my ecosystem, data is available everywhere today. The most important aspect of maintaining security in such environments is having visibility into your data - both in motion and at rest; and visibility into who has access to it. On the similar lines, application security is also an important area with attacks on point-of-sale terminals on the rise; especially in acquirer transactions.
Non-compliance is also a big challenge for Indian banks, as the penalties can be quite severe, especially [related to] the RBI guidance. The other big challenge for someone in my position is the exponential rise in targeted attacks. Malware has taken the form of organized syndicates today and crypto-Trojans, ransomware and DDoS attacks are some recent developments that are a major concern for me.
HARAN: In your current position, what are some measures to mitigate these concerns?
RATOLIKAR: From a remediation perspective, you need to have an anti-malware strategy in place for the organization. Periodic risk assessments on the infrastructure are a must. Having an integrated data leakage prevention program in place is another major aspect of preventing electronic fraud, especially those perpetrated by insiders. Relevant controls then need to be implemented in the form of periodical audits, data masking/redaction solutions, etc.
For application security, we have devised a framework where source code is analysed and applications are screened periodically. In addition to technical assessments like VA/PT, non-technical assessments are also carried out regularly. All of this is mandated by the RBI, which also helps me meet my compliance goals.
In my opinion, information security awareness as a dedicated channel is going to be the most important thing in fighting fraud. This includes communicating the importance of security to the customers as well as educating the workforce. Indeed, educating the workforce is essential to inculcate a security culture within the organization.
Compliance Challenges, Solutions
HARAN: What are the kinds of compliance challenges that you deal with in your organization?
RATOLIKAR: From a banker's perspective, my primary compliance mandates are from the IT Act 2008 (amendment), and the RBI guidelines that bind all banking institutions, especially the guidelines on electronic transactions. PCI DSS is another important standard that we are required to adhere to. In addition, given the bank's international presence, there are various local compliances that have to be met in different geographies. - for instance, complying with MAS guidelines in Singapore and other local regulators. I think RBI guidelines are fantastic and some of the finest there are, even compared internationally, from an information security and a technology risk management perspective.
Within the organization, we have developed a unified compliance framework, which takes care of the control requirements from all these standards.
HARAN:How do you align your compliance mandates to get the best business value and effective security while adhering to regulatory guidance?
RATOLIKAR: The UCF is nothing but an amalgamation of compliance requirements and best practices from all our regulators, international best practices, the IT Act and RBI guidelines that we need to fulfill. This also contains information on the applicability, the control matrix and the impact of non-compliance. We use this as a kind of a textbook or a control library within the organization. This process is home-grown and automated to some extent. For example, for every instance of non-compliance, it is possible for me to find out the depth of non-compliance or in other words, the other areas this makes me non-compliant in, by extension.
In my opinion, the best way to align compliances to business is to prioritize security investments based on compliance requirements and emerging threats. Following this, you need to chart out the right approach, which would be a combination of people, processes and technology. You need to strike a balance between the business risks and your compliance mandates in such a way that the compliance is achieved and the business risk - if not fully closed, is at least mitigated to a reasonable extent. While one may not be able to eliminate risk completely with the business model that exists today, it can definitely be minimized with various measures.
The Value of Metrics
HARAN: What advice would you impart to a banking CISO to fight cybersecurity threats? How can they drive ownership of information security in their organizations?
RATOLIKAR: A CISO in an Indian bank cannot have a passive, cabin-jockey attitude. Be proactive. Perform risk assessments on your applications and infrastructure to pinpoint your weaknesses on a regular basis. Follow this up by identifying your critical business processes and conduct a business impact analysis. This helps in identifying your critical information assets and applications. You can then use a combination of people, process and technology to mitigate these risks using a unified framework and keeping a close eye on metrics.
Metrics should be the fundamental parameter using which you should measure effectiveness. Metrics can be collected for any periodicity today, and monitoring the effectiveness of your controls using a metric would give you a sense of the security posture of our organization. In our organization, we have a implemented an automated dashboard for information security metrics basis the ISO 27004 metrics standard which we are in the process of deploying.
In terms of ownership, technology is now part of every aspect of the business, and you need to constantly connect with the various business heads to make them aware of RBI guidance and the security landscape. Individually, the heads of departments and the employees are responsible for security within their ambit. At our organization, we have integrated DLP with an HR mandate wherein disciplinary action is taken in cases of insider fraud or non-compliance. It becomes an HR matter now so each individual must take ownership.
Again, a CISOs role involves the combination of people, process and technology for managing information risk, with a strong focus on compliance.