Dominic Vijay Kumar, DVP & Head IT, ART Housing Finance emphasizes on security preparedness for work from home.
What are your roles and responsibilities as Head of IT and security at ART Housing Finance?
My core responsibility is deciding on the technology and the digital roadmap, then application development, IT operation, cybersecurity and information security, IT governance, compliance, audit and risk management. Then comes my strategic planning also.
What are the critical security deployments at ART Housing Finance and how were these milestones reached?
This financial year, especially 20-21, we had major security deployments because we are a digital driven company. We use lot mobile apps and so the with that BOYD concept, main focus was on mobile device management implementation, prevention of phishing attacks and firewall implementation across all the branches.
Second thing is to achieve these milestones. At first, we had selected a very good vendor. The vendor has to play a major role in the complete project execution. Then a defined project timeline, defined project plan and tough timelines along with relevant tools, periodic reviews and mentoring and guidance s very important for any project to be successful.
So it is your team, and guidance, and then your vendor. Three things, which make your project successful and we were able to achieve these milestones before the target.
What are the key critical challenges for a CISO today especially after the impact of COVID19 has changed the business model of most organizations?
While working from home, you do not know what kind of devices, what kind of network you are working on. Then data is coming from multiple sources, uncertainty, on what kind of metrics you have to present to the board and convincing the board, getting the budget approval for new implementation within short span because COVID-19 was not a pre planned activity. We did not predict anything as such, so getting things moving, budgeting, approvals, then communication to the internet team and training were challenges. These are the major challenges as a CISO and as a CIO or Head of IT, which we went through in the last six months time. Especially when there was an incident and reporting the incident, getting the incident back, protecting your data, security is playing a major role for it, but there is a big laundry list for this.
Other than the security challenges arising out of WFH, how as a CISO would you look at the growing importance of a BCP and auditing of the BCP?
We are a housing finance company so we come under RBI and NHP. Hence, we are a regulated company. As a process, we are supposed to set up a BCP and DR. This pandemic has really made BCP as a new normal, while all these days BCP was a regulatory requirement and the compliance and audit requirement.
But today, the last six months, I can see, we had used the BCP plan to the maximum, because when you are working from home, you work on multiple networks and there was a limitation on the support team coming to the data center. So the only option for us was to use BCP. It has played a major role in this pandemic time, and it is a new normal.
Now, you cannot consider BCP as an audit or on paper. It is a requirement, it is part of your day-to-day life and when we see that, we are ready with everything, BCP should always be available to us.
How can digital technologies help in current crises like liquidity crunch and NPAs?
Digital technologies will not play a vital role in present liquidity crunch and NPAs. But yes, when you look at liquidity or NPA, I think it’= is a global hit. Especially in India, when I look at the economics, during the last two years, there was a major liquidity crunch, which where we had to cut short on the business, but to overcome that there was no technology as such. It is more of an issue of how we are going to get funds, how do we use the funds, and what you have.
When you talk about NPA, we use technology to a certain limit that is when you are trying to acquire the customer or when you are trying to access credit. But if a customer, in the first five years, pays the EMI properly and the next six years EMI starts bouncing back there we cannot do anything but otherwise NPA is more of a natural disaster kind of thing. It can happen anytime.
How are you adopting to the newer security challenges at a financial services player like ART Housing Finance arising out of the current situation?
As every organization, we are also facing a lot of challenges when it comes to security of all because from March, when we were calling for a lockdown, we did not know what to do. We were all tailored to come to the corporate office, to the branch and start working and only a few people used to work online. But when we started working from home, there are major challenges, which we had to overcome. So we had to work overnight. We had faced a lot of security challenges, like phishing, phishing attacks, whaling attacks of means, ransomware attacks but not to that extent where we were taken over. Few security challenges, which we faced during the pandemic and we were able to overcome that also because again, as a regulated company, we always planned certain things. So to overcome that, we were using certain tools to get things moving.
How important is a cyber liability assessment today in case of cyber crisis? How would you identify and assign the responsible stakeholders?
When I say cyber liability assessment, I can only say it is cyber liability insurance, because when you say assessment, it is a more of an insurance. As an organization, you should have a cyber insurance, which is very important because cyber insurance covers many things like your data breach, ransomware attacks and there are certain expenses which are unexpected. Cyber insurance plays a major role and it is very important with the present situation where we have ransomware, data breach, data theft or any kind of natural disaster to recover your data.
We as organizations have already planned for it and lots of assessment has been done and we are working with a lot of other insurance companies to get our data, as well as your asset IT infrastructure insured. So that tomorrow if there is any kind of issue, we try to recover their costs, not the data, but recover the costs, which we have spent on that. So that is one of the norms now.
As far as the stakeholders are concerned, in a regulated organization like us, we have stakeholders, we have a steering committee and executing committee. These are the two committees, which has the board of directors, the MD and CEO, and the CFO. These are the gentlemen who play a major role in any kind of data breach or ransomware attack and insurance. And these people are solely responsible for taking decisions and giving us the go ahead in any of these kinds of activities.
How is ART Housing Finance leveraging on technologies like mobility, AI, analytics, blockchain, IoT among others?
Art Housing Finance as an organization is more on mobility platform. We were one of the first housing finances in India to have a mobile base customer acquisition and give an approval at the doorstep. Normally in a housing finance company, you ly have ‘n’ number of papers, forms to be filled whereas we created and developed an app which was helping us reduce the time from 15 days to few hours.So there was a major reduction.
Artificial intelligence and analytics is very important for us. We are more at the initial stages. We were in discussion and closing some but due to pandemic we had to put it on hold.
As far as IoT and blockchain is concerned, we are not looking at IoT right now but blockchain we may be looking, because in India, blockchain is not so mature as such.
In the current scenario of WFH where people are connecting from heterogenous devices and networks what would be your advice for CISOs on endpoint security vis a vis network security?
You have to have a network in such a way that, you can work from anywhere. It is no more a norm that you got to come to your office and work, or work from home, but it is work from anywhere. So basically there are three very important things, which I look at. One is the device level security, in case you are using your device, we need to look on how we are going to security you device without compromising on the privacy at an individual. Second thing is what kind of application should be given toward whom. That needs to be very clearly segregated, everyone should have everything. Segregation of duty and roles should be there and every person, every user, every employee of that particular organization is responsible for the security of the company. Security is not only CISOs or the CIOs job. is. Every individual needs to take the responsibility because everyone plays a vital role. These are three important things for us. If you look at work from home or any kind of devices you are working for. There are very senior CISOs in the industry, but from my side this is my suggestion to all the CISOs going forward.