Are CIOs/CISOs in India’s financial industries so overloaded with cybersecurity product options that they fail to pick the most appropriate solutions?

Last year, the banking industry witnessed a 1,318% increase in ransomware attacks, by one estimate. This means the industry is one of the most vulnerable sectors, and 2022 will be even more critical due to the super-accelerated global adoption of digital payments.

CIOs and CISOs in the banking, financial services and insurance sectors are therefore heavily focused on upskilling and educating customers as a top priority. 

However, when it comes to cybersecurity and the solutions available, could there be an overload of awareness in these decision makers? This could confuse them enough to lead to sub-optimal decisions for the organization, according to Ranjith Purushothaman, Chief Manager ISG & IS Audit, Dhanlaxmi Bank Limited.

To find out about the phenomenon, and how organization and customers can navigate the cybersecurity solutions maze to achieve a safer banking experience, CybersecAsia interviewed Ranjith for a backgrounder.

CybersecAsia: Why do you think there is an overdose of awareness on cybersecurity for the BFSI sector for CIOs and CISOs trying to pick the appropriate cybersecurity solution for their firm? 

Ranjith:  We have a lot of articles and resources being published on creating awareness among the CIOs and CISOs. However, it is up to each individual to pick the right information they need to fix their problem. The right to take a call is theirs.

For instance, over the last two years, startups have emerged as the powerhouse providing incredible solutions and technologies to the banking sector. But what we feel is that, unlike the traditional IT systems, cybersecurity products are not mature, or we do not have a proper benchmark to evaluate their capabilities. To me, this is correct to some extent, and it is here that the CIOs and CISOs need to take a cautious call. 

The need of the hour is that the responsible executives need to enhance their security knowledge to be able to select the right product. Ultimately, we are trying to address some business risks, and hence tackling cybersecurity risks should be converted to additional services. 

After the passing of the data protection law in India, various vendors are coming up with security variations on database encryption, masking and others. But we are not sure if their products are mature enough to protect data. We also must consider if these solutions will be government approved or provide a good return on investment. There may also be hidden obstacles that we may not be aware of. But how to bring these issues to the surface? 

Cybersecurity is ever-changing, and hence existing solutions need to be fine-tuned while new solutions should be created keeping the future in mind. Finally, it is about accessing the existing solutions and measuring ROI for the particular investment. 

CybersecAsia: With different banks requiring different cybersecurity solutions, do one-size-fits-all products continue to be relevant in the changing cyber threat landscape?

Ranjith: Theone-size-fits-all is an old adage now, and should be deleted from the dictionary. It does not work for any industry anymore. Banking functions have their own critical components and hence it is important to cautiously evaluate the existing and new technologies or solutions.

A small miss and you open the door to cyberattackers, thereby losing millions or billions of your clients’ money and your reputation goes kaput. 

While the big banks and the small banks may offer similar services, their internal processes differ, which means we need to have different security solutions.

However, we need to take a cautious call if our security measures are not paying off. We need to evaluate our ROI and scrutinize if we have made the right investment. After all, the call on having cybersecurity installed in your organization or department depends on your balance sheet or the size of each department! 

CybersecAsia: In 2022, what would be the focus of the Indian BFSI sector in terms of cybersecurity? 

Ranjith: The Indian government is pushing various digital products and hence banks need to ensure that they have their digital payment systems in place which are foolproof and can secure customers’ money. Customer awareness is also a key aspect. They should know about the company and how to utilize the product.

Hence, banks need to focus on educating their customers and creating awareness among them about the distinct products and the common setting controls. In 2022 we expect to see a large focus on digital payment security from the BFSI industry. 

CybersecAsia: How can banks educate their customers in terms of their products and security? 

Ranjith: They can do this through newspaper ads, YouTube videos, and even SMS. But ultimately, the customer also must become aware of certain scenarios where hackers are too smart for even the cyber aware customers.

Hackers can create a critical situation to make victims panic, and in their anxiety inadvertently provide confidential information. Exploiting the customers emotionally is the key for hackers. But as banks gear up to educate the customers, things will slowly become better and stronger. 

As digital banking picks up pace, even the older generation are using digital products. Hence, we need to understand their difficulties precisely and find ways to help them learn and retain cyber awareness independently. On our end, we must be their gatekeepers in keeping attacks at bay so that they never even reach customers.