Babitha B P, CISO-CSB Bank elucidates how digitization is helping the bank during the pandemic.
What are the key technology solutions used by CSB Bank and what are their use cases?
As a bank our prime focus is customer service. We are adapting the latest technology to provide a physical banking to our customer, but with the technological advancement customers are able to get banking services at their homes even without coming to the bank. As a CISO, I am more focused on how secured our IT infrastructure or how secured is the service being provided to the customers.
How are digital technologies helping CSB to tide over the current COVID19 crisis?
When we talk about use cases of the technologies, especially from securing our system, we are adapting AI based solutions with behavioural analysis. This helps us to identify the zero day threats and to invoke the incident response accordingly. The Bank is using advanced cyber-security to secure our IT infrastructure.
We review and constantly update the tools to ensure that it is configured correctly and the purpose of the tool is served. We ensure multi layer security controls in place so that even if one control fails to prevent or detect the other layer we will still do that so that we can take necessary action to minimize the impact.
When it comes to security, people are the weakest link. So we are taking extra effort to create awareness about information security among the employees, as well as the customers. Lack of awareness is the key for exploitation when it comes to a cyber attack or a cyber fraud.
Looking from a banking business perspective, we have lots of digital products in place when the customer can open an account from his house, or he can take a gold loan from his home itself without coming to the branch. All these are possible because of the digital advancement.
When it comes to banking operations, during this period of COVID-19 banks have to give work from home facility to our employees as most of them are not able to reach our office. We are able to provide this facility just because we are having the secured VPN solution with us and we have taken necessary actions. The solution was capable enough to provide security measures like binding the device of the user, multi-factor authentication, checking the profile of the system, data leakage prevention, all these actions in-built in the solution. Because of that only we are able to survive even during this COVID time without affecting our business.
How are the roles of the CISO aligned with the CIO?
In case of a CIO or CTO, they are always ready to adapt or implement new technologies to meet the business requirement. They have to meet this requirement within the timeframe. So they concentrate mainly on the project timelines, but when it comes to CISO, we analyse the technology, technological and operational risks involved in the project and put controls in place to reduce or remove the IT gap. CIO, CTOs are more focused on delivering the digital service to the customer and to maintain the uptime of it. Whereas a CISO will be more focused on how secured the digital service provided is, and ensure confidentiality, integrity, availability of the service.
Now CISOs are involved right from the project so that we are able to address the security gaps well in advance. In most of the banks, CISO and CIO work hand in hand.
What are the critical security deployments at CSB and how were these milestones reached?
CISO or the security team have come up with a lot of security products in our bank. VAV, DDoS, EDR all these technologically advanced security products are now available in our bank.
One thing, what I take care of and which is different in my team is that the security team itself does the implementation so that the team will know all the aspects of the tool. We can ensure that it is configured the way we want and without our knowledge, no one can change the configuration of the tool also. That is one of the advantages which I hold here and another advantage by this is that I am able to reach my desired milestone correctly within the timelines because we are ourselves the implementing team.
What are the key critical challenges for a CISO today especially after the impact of COVID19 has changed the business model of most organizations?
Due to COVID-19 now employees who are not able to come to office have to be provided access from their home. Now people are accessing our bank’s network from home, which never happened before. When they are working from home at times they are not even able to identify threats and we have given access to personal devices also. Visibility of the applications in the device or shadow IT is a challenge right now.
Even now vendors are also using VPN for supporting us. Till this time of COVID, we were worried only about the redundancy of the system. So if one system fails, how does the system take care? Now it is not that, we have to think about the redundancy of the people. If something happened to a person, how this process that was done by that person is carried by the other so that it would not affect business.
In work from home scenario, we are not having any control or we are not able to monitor the activities of the people.
Earlier, if there was any issue in a closed environment they were monitored and we had a physical control in place unlike now. All these factors are of high challenge to CISOs now, and the attackers are also trying to exploit all possibilities to get into the system.
Other than the security challenges arising out of WFH, how as a CISO would you look at the growing importance of a BCP and auditing of the BCP?
BCP and auditing of the business continuity plan is very much important because as a bank we always test our BCP by conducting DR- drills.
We are confident enough when there is a failure of any system, but now in COVID times, we are prepared for critical devices and all, but the people resources were not considered.
We did not create any business community plan for the services that has been provided by the people and if any person is not being able to come to office, how we can take over to provide an uninterrupted service to our customers.
How important is a cyber liability assessment today in case of cyber crisis? How would you identify and assign the responsible stakeholders?
Cyber risk assessment is a crucial part of organization’s risk management strategy. It is required for the proper response of risk and it will help the stakeholders to decide how they have to invest in the IT projects. Like when we are assessing the risk, the risk assessment is based on the gaps identified, and we will see how far that gaps can be exploited. If there is any mitigation controls in place and if that is getting exploited, what will be the loss that will affect the bank or how much loss it will create to the bank. All these things need to be analyzed in a well mannered way and the stakeholders need to be made aware of the laws or liability that may rise due to the compromise of the system by exploiting these identified vulnerabilities.
Investments of the security tools also should be based on risk assessment and the business impact it can create due to this.