From Infrastructure Facilitators to Business Enablers – The Evolving Role of a CISO at Banks
Shrikant Shitole, Managing Director, India, Symantec Sep 12th 2016

Adoption of modern technologies and a shift to digital business model – both operation and service, has resulted in re-positioning of the financial services market in India. It has transitioned from a fundamentally labor-based model to an automated process-driven one. This change in business landscape combined with the infrastructure modernization, has opened up avenues for cyber criminals making security an architectural need, rather than a product play.  Security is no more an IT agenda, but boardroom agenda where the Chief Information Security Officer (CISO) has a crucial role to play. The advisory issued by Reserve Bank of India (RBI) in June 2016 to Indian banks on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds reiterates this. It necessitates proactive deployment, modification, upgrading, and fine tuning the existing policies, procedures and technologies in banks in India, based on new developments and emerging concerns to create a Cyber Security Framework.

State of Cyber Attacks and CISO Prerequisites

Alongside the technological advancement, cyber-attacks on financial services organizations are becoming increasingly diverse and therefore unpredictable. Symantec’s Internet Security Threat Report, Vol. 21 revealed that 40 percent of BFSI businesses were attacked at least once in 2015. A recent research by Symantec titled Financial Threats 2015 found that financial Trojans are becoming far more capable and criminals are increasingly targeting institutions directly. These statistics clearly conclude that when the severity and frequency of the attacks increase, only a resilient and flexible cyber security model will prepare and protect the financial services industry to survive.

Dynamic business environment as well as advancing customer needs, technology is becoming more a part of every business and, therefore, more crucial to business strategy. IT leadership now plays a role of strategic partner than being an operational player. Today, enterprises need IT teams to be agile, adaptive, and quick to deliver value to the business faster. Each new wave of IT - be it mobile, big data, cloud computing - comes with business benefits, but equally creates a series of challenges which can have a significant negative impact on the business if not planned carefully. This does put the onus on the organization to ensure the IT leadership is proactive rather than reactive.

[1]Security is no longer a one-size-fits-all solution. As such, the role of the CISO is changing. Information security is not a final destination, but a journey in which the CISO must align closely with the business to ensure operational competitiveness and growth. They should be equipped to successfully manage a stable technology environment even against a maelstrom of change. As data moves dynamically, protecting this information becomes really critical for CISOs.  [2]This change of role is a balancing act for any CISO. The prerequisites of this role involves:

Risk versus opportunity - The financial services industry needs to balance the protection of the banks’ information and assets against the needs of employees, partners and customers to access information at preferred times and locations. Banks have to innovate to be competitive and expose themselves to risk, without jeopardizing reputation and financial assets.

Security versus cost- Strategies to manage risk within the financial services industry typically include:

-Transferring risk to another party

-Avoiding risk

-Reducing the negative effect or probability of risk

-Accepting some, or all, of the potential or actual consequences of a particular

Regulatory pressure versus actual risk - As regulatory pressure increases, the finance industry needs to comply, but there is a risk that this can divert focus from targeted attacks. Companies must ensure that regulatory compliance does not come at the price of protecting against targeted attacks that could impact upon reputation and customer loyalty, not to mention inflicting major financial loss

Threat intelligence is essential - The way to stay ahead is to have access to the right intelligence and the knowledge to make use of it. As technology evolves and user behaviors change, any security intelligence needs to proactively seek to understand future threats.

A valuable transition - Security leaders who make this transition from Technology Expert to Business Risk Manager also secure more budget. It becomes imperative to be able to effectively communicate IT risks in business terms also provides security leaders with the metrics needed to help justify additional security investments

Implementing Future-Proof Security

Emerging trends and technology evolution are paving the way for new ways of working, but also for new security threats and challenges. As cybercriminals have shifted their focus to bank employees, the only constant in this game is change. Security strategies and infrastructures need to become more agile and predictive as no technology can rule out the human factor completely, so security awareness will remain critical.

Banks today need intelligent, accurate threat detection and proactive notification of emerging threats to ensure sensitive data is protected. Keeping awareness at the forefront, banks should adopt an information centric approach which will enable security experts and advisors to better evaluate the environment and deploy suitable solutions. Some of the key initiatives to future-proof the infrastructure would entail:

Improved real-time tracking and business intelligence - Setting up the Cyber Security Operations Centre (SOC) to constantly and continuously monitoring of the environment using appropriate and cost effective technology tools, clearly defined policies and procedures based on best practices that are monitored by technically competent and capable manpower is the need of the hour. The advisory by RBI outlines monitoring, analyzing and escalating security incidents in real-time as the key responsibility of the SOC. By developing responses to protect, detect, respond and recover, and conduct incident management and forensic analysis, by coordinating with contact groups within the bank as well as external agencies, the SOC will add tremendous value to Indian banks

Preparedness to Respond and Manage - To enhance the resilience of the banking system it is important to improve their current defenses. Given the low barriers to entry, evolving nature, growing velocity, motivation and resourcefulness of cyber-threats, it is imperative for banks to put in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents or disruptions. RBI recommends devising a fully effective incident response program with due approval of the board. Intended to effectively support banks’ cyber-resilience objectives, it should be designed to enable the banks to recover rapidly from cyber-attacks and safely resume critical operations aligned with recovery time objectives while ensuring security of processes and data

Automation of processes is a vital part of a future-proof security infrastructure as it helps guard against human error and offers the capability to manage large amounts of data

Education of employees and customers is the best defence against many threats. However, this is most effective when organizations break away from traditional security awareness models to employ creative and immersive techniques and deploy technologies that can influence user behaviors. RBI guidelines stresses on the need to educate the customers on the downside of sharing credentials and encourage them to report attacks/breaches to take effective remedial action

To stay ahead of cyber criminals malicious attacks, financial institutions will need to continuously update information security policies, systems and infrastructures, and ensure they keep up with best practices in securing customers’ data. As the new age CISOs take the center stage, it will be imperative to adopt new and intelligent technologies and services must be adopted to cope with competitive pressure, while aligning with the  regulations.

Download the full report here