Sameer J Ratolikar, Chief Information Security Officer (CISO), Bank of India talks about various issues and challenges that surround the information security frontier today.
What is it like being a CISO as compared to the role of being a CIO?
A CIO is the overall head of IT procurement who takes care of IT decisions within a certain IT Budget. A CISO takes care of effective implemention of the information security part which in case of a banking organization is significant enough. For a banking enterprise that is moving from offline to online in various areas and is being enveloped with various cyber frauds and threats that are emerging substantially, the role becomes more acute.
How does a CISO sync in with a CIO? Is it an equation of conflict or overlap one is that complimentary?
For all my requirements on technology support for IS, my CIO is absolutely with me. The only thing is that he needs to be convinced. That's a strategic issue of convincing a CIO on Budget and deployment for security devices. For that, statistics, global bank comparisons, and a risk appetite approach work well. I am sure a CIO understands IS aas much as a CISO. At my organization, of course CIO is ultimately the head, but IS is not a problem and we both are on the same understanding level.
Isn't it interesting that in the overall IT Budget and plan, security is not that big a slice and is taken care of only when the alarm bells ring?
Yes, that's always an issue. Ultimately what is needed from a CISO is regular risk assessment of the threat and business impact. For a banking organization such risks translate into various areas. There is not only reputation loss, and legal issues with RBI actions but also customer loss and business impact, and all this has to be clearly explained to the top management.
The repercussions of not addressing security are very high in a bank. It's not a one-time exercise for sure. It has to be very periodic with regular assessment exercises, quarterly meetings, newsletters, security emails, organizing an information security week etc.
What troubles you the most in today's threat landscape?
Application security. The crime ware, malware etc that is specillay crafted for financial institutions is getting serious. To counter various threats, one needs a necessary secure application framework.
How pertinent are methods like penetration testing, whitelisting or ethical hacking?
They are very much an in-depth part of defence and in countering attacks.
With the typical cat-and-mouse flavour of threat-and-security in today's era of swift technology, how do you ensure you catch up in time?
I approach it through a periodic risk assessment exercise. Any changes, new additions in infrastructure have to be assessed for risks and once that is studied well and put on paper, one is clear about risks that come along. When a new investment or technology upgrade comes to table, we also ask, what's the cost if we do not invest in it for next two or three years, till the costs come down. The balance between security and convenience is taken care of.
Vulnerabilities associated with new project or asset are listed down well. Then the other part of risks is taken care of at the staging area with penetration testing etc. Risk mitigation is carried out as per the appetite and study. And it's not only the CISO but other functions and people like from network security, storage, database administrators etc that jointly handle security issues.
Besides that, as CISO you also need to have little bit of future sense and intuition to see what's coming next.
So according to your future horizon, what are you betting on next?
We are looking for security compliance tool, internal vulnerability assessment tool, and web application firewall.
Do vendors just push their solutions or are your unique needs being taken into consideration?
It's a mix and is quite challenging to make IT decisions in this scenario. What we do id that we first do an internal asessement and then freeze our requirements. Then only we go to the next step of shorlisting vendors and then come to a concrete solution that takes care of our precise requirements. We also have a technology brainstorm with our vendors.
And what's your take on outsourcing security needs ?
That's not a bad idea as long as one has enough risk appetite for the transit security mode. Of course, there are technologies to take care of that, but it depends on one's own approach.
Between Web, Network, Storage etc, what is the security hotspot today, if any?
For us, it's clearly the area of database security. Ultimately this is where it hurts most. But good secure configuration on a network or storage in line with that, is equally important.
What is it like being a CISO as compared to the role of being a CIO?
A CIO is the overall head of IT procurement who takes care of IT decisions within a certain IT Budget. A CISO takes care of effective implemention of the information security part which in case of a banking organization is significant enough. For a banking enterprise that is moving from offline to online in various areas and is being enveloped with various cyber frauds and threats that are emerging substantially, the role becomes more acute.
How does a CISO sync in with a CIO? Is it an equation of conflict or overlap one is that complimentary?
For all my requirements on technology support for IS, my CIO is absolutely with me. The only thing is that he needs to be convinced. That's a strategic issue of convincing a CIO on Budget and deployment for security devices. For that, statistics, global bank comparisons, and a risk appetite approach work well. I am sure a CIO understands IS aas much as a CISO. At my organization, of course CIO is ultimately the head, but IS is not a problem and we both are on the same understanding level.
Isn't it interesting that in the overall IT Budget and plan, security is not that big a slice and is taken care of only when the alarm bells ring?
Yes, that's always an issue. Ultimately what is needed from a CISO is regular risk assessment of the threat and business impact. For a banking organization such risks translate into various areas. There is not only reputation loss, and legal issues with RBI actions but also customer loss and business impact, and all this has to be clearly explained to the top management.
The repercussions of not addressing security are very high in a bank. It's not a one-time exercise for sure. It has to be very periodic with regular assessment exercises, quarterly meetings, newsletters, security emails, organizing an information security week etc.
What troubles you the most in today's threat landscape?
Application security. The crime ware, malware etc that is specillay crafted for financial institutions is getting serious. To counter various threats, one needs a necessary secure application framework.
How pertinent are methods like penetration testing, whitelisting or ethical hacking?
They are very much an in-depth part of defence and in countering attacks.
With the typical cat-and-mouse flavour of threat-and-security in today's era of swift technology, how do you ensure you catch up in time?
I approach it through a periodic risk assessment exercise. Any changes, new additions in infrastructure have to be assessed for risks and once that is studied well and put on paper, one is clear about risks that come along. When a new investment or technology upgrade comes to table, we also ask, what's the cost if we do not invest in it for next two or three years, till the costs come down. The balance between security and convenience is taken care of.
Vulnerabilities associated with new project or asset are listed down well. Then the other part of risks is taken care of at the staging area with penetration testing etc. Risk mitigation is carried out as per the appetite and study. And it's not only the CISO but other functions and people like from network security, storage, database administrators etc that jointly handle security issues.
Besides that, as CISO you also need to have little bit of future sense and intuition to see what's coming next.
So according to your future horizon, what are you betting on next?
We are looking for security compliance tool, internal vulnerability assessment tool, and web application firewall.
Do vendors just push their solutions or are your unique needs being taken into consideration?
It's a mix and is quite challenging to make IT decisions in this scenario. What we do id that we first do an internal asessement and then freeze our requirements. Then only we go to the next step of shorlisting vendors and then come to a concrete solution that takes care of our precise requirements. We also have a technology brainstorm with our vendors.
And what's your take on outsourcing security needs ?
That's not a bad idea as long as one has enough risk appetite for the transit security mode. Of course, there are technologies to take care of that, but it depends on one's own approach.
Between Web, Network, Storage etc, what is the security hotspot today, if any?
For us, it's clearly the area of database security. Ultimately this is where it hurts most. But good secure configuration on a network or storage in line with that, is equally important.
No comments:
Post a Comment