Accelerated banking digitalization and widespread customer awareness of data privacy and protection urgencies have made CISOs treasured yet unenvied …

Chief Information Security Officers (CISOs) are the spine of an organization’s digital infrastructure. As businesses start transformating to digital end-to-end, it is the CISOs who have been at the front end fighting like Knight Warriors.

In the banking sector, with so much financial resources and sensitive data at stake, CISOs are tasked with ensuring that nothing gets lost to the hands of the hackers. These IT heroes have multiple roles to play: starting from detecting to neutralizing daily cyber threats, to formulating standard operating procedues and best practices for ensuring regulatory compliance and retaining customer trust. 

To get a taste of what the current pandemic has added to the already-overloaded plates of CISOs, CybersecAsia spoke with Niju Mohan K, the Chief Information Security Office at SBM (State Bank of Mauritius) Bank India …

Niju Mohan K, CISO, SBM Bank, India

CybersecAsia (CA): Please tell us what your role looks like day-to-day.

Niju Mohan K (Niju):
The CISO’s role in new age banks such as SBM Bank India, is quite different from that in most traditional banks. Given the bank’s collaborative banking strategy that involves expanding banking from the traditional realms to an always-on omnichannel on-demand experience, my role as CISO is not only securing information and IT infrastructure, but also making sure that our collaborators— comprising fintechs, non-banking financial companies and other financial services intermediaries—are also secure.

The day-to-day activities in my role include working with internal stakeholders (especially IT teams) to enhance our security framework, improve monitoring on possible breaches and strengthen internal protocols to protect, detect or mitigate probable IT risks. 

With a collaborative focus, the other area of my role has been towards monitoring integration of the systems of the bank while onboarding business and fintech vendors. The predefined toll gates for new solutioning within the banks and fintech onboarding is a major focus area.

In addition to this, my role is also overseeing awareness campaigns and employee training for sensitizing them on information and cybersecurity.

CA: What are some of the current cybersecurity implications in the banking sector?

Niju: With the accelerated digitalization of banking, the challenges and stakes around cybersecurity have increased manifold.

The internet is an insecure medium bridging my bank and its customers, and this is exacerbated by non-standardized device ecosystems and their varied security protocols. The cybersecurity challenges are multiplying each day. 

With vulnerabilities mounting, sophistication levels in fraud increasing—and all this compounded by a large section of the ill-aware or digitally challenged user base, the cybersecurity implications are far more critical than what meets the eye across the banking sector. The role demands continuous attention and initiative to sustain security.

CA: How much has the role of a CISO changed over the past two years?

Niju: There has been a paradigm shift in the perimeter of the organization due to the pandemic. This is in two separate aspects:

Internal: In the last two years, work from anywhere has become the norm. For banks, it is a bigger challenge as we have to deal with multiple regulations and laws of the land pertaining to data security, data privacy, confidentiality and integrity.

Proliferation of digital banking products: This has increased the threat landscape significantly as most of these products have higher-value transactions as compared to retail banking, and any single incorrect transaction can have massive repercussions.

CA: With ever-changing face of cyber threats, how are CISOs maintaining tight cybersecurity?

Niju: From a design perspective, the IT security threat landscape has always been in the domain of the CISO. With more banking clients being aware of surges in cyberattacks and the need for strong security requirements, the demands on CISOs have increased accordingly.

CISOs not only have to prevent new threats/threat actors from exploiting any vulnerabilities, but are expected to respond to newer challenges as quickly as possible.

All stakeholders would prefer that their banks do not have incidents but in the event of one happening, CISOs must respond and provide solutions in a prompt manner. Due to the relevance of various data privacy regulations worldwide, CISO also have to mandate transparency. These newer challenges have caused CISOs to request for larger budgets to invest in the latest security technologies to strengthen preventive measures and also meet benchmarks for threat detection, response and recovery times.

CA: What are some of the fast-moving challenges CISOs currently face? What strategies can overcome such challenges?

Niju: One of the biggest challenges faced by organizations is to detect a breach before any actual attack can happen. Most organizations that were hacked did not even know of the breach until months after the actual attacks.

However, finding these breaches is like searching for a needle in a haystack. Banks need to invest in Honey Pots, Network Behavior & Anomaly detection, and packet capture tools.

Preventive Forensic analysis needs to be done periodically to understand activity logs to detect breaches in a timely manner.

CA: Devising policy and controls to reduce risk has been a constant factor keeping CISOs awake at night …

Niju: Policy management, in line with regulatory requirements, is the bread-and-butter staple of any regulated financial institution in India.

The rules need to be watertight while not hampering or slowing down business. As banking is totally interconnected, banks need to be able to trust each other to do daily business.

Standardization enables banks to know and ensure that the complete ecosystem is secure in line with regulatory requirements. This basic understanding of the regulations enables all banks to have a consistent approach across the board to provide security to the customer. This is definitely a boon in disguise.

CA: What best practice advice would you give to potential CISOs?

Niju: Each potential CISO needs to build his or her own best practices based on standard frameworks such as ISO, NIST, COBIT, etc.

However, these practices must also be tuned to each organization’s needs. For example, a traditional bank would invest more in the security products framework while a new age bank would invest more in its vendor risk management framework. 

Implementation and selection of controls and best practices would also depend on the risks that need to be controlled. The exact approach would be individual to every organization.

CybersecAsia thanks Niju for sharing his insights.