Ashton D’Cruz, Director, CAO, CGO, CISO & Head – CC&S Governance, NatWest Markets Plc, INDIA outlines his functions at Natwest Markets and how they have become more critical in the current pandemic situation.
What are your roles and responsibilities as CISO and CAO of NatWest Markets?
I am working with NatWest Markets, which is a corporate bank in India. I have been with the bank for 15 years and currently I am fulfilling the responsibilities of Chief of staff, chief administrative officer and CISO. As I am the chief of staff and CAO has been my primary role., it covers operations strategy for the organization. This also includes oversight and management of various business resilience aspects. We cover BCP, incident Management, fraud management, record management among others as well as facilities oversight. Here you also have to look at physical security as the Chief Administrative Officer.
This role of a CISO was in a way a responsibility that came to take care of all the added aspects that was already a part of the chief of staff and CAO role that I already had. It essentially covered the information and cyber security aspects. The CISO role is unique as its defines the approach and formulation of banking in India keeping in both the global and local requirements also round the clock monitoring of the assets of the bank from any kind of threats, be it internal or external.
What is the synergy between the two roles?
The CISO role and the CAO role complement each other. As the chief administrative officer where I have the oversight of the physical security of the branch and the bank across India, we also extend towards the data security and the cyber security aspect. With the chief of staff setup, we take a look at the business resilience aspects which covers fraud management, incident management and also BCP requirements. So the service security role is just an extension and an outcome of advancement in technology and digitization, where it has changed from a traditional form of security to a more advance and digital based system.
What are the key critical challenges for a CISO today especially after the impact of COVID-19 has changed the business model of most organizations?
In my opinion change is the only constant that we have. One is always dealing with changes, be it changes in landscape, regulation & legislation. The current scenario helps change to grow overnight increase and accelerate the surface area of attacks primarily due to work from home scenarios or poor working setup. So this is the only change I see from my perspective where there has been an exponential increase in changes that always used to happen in a CISO’s life.
Thus you can say that a CISO’s life is not a constant, as you cannot determine what we are doing on day one will last till the final day. A CISO is always making changes that are subtle changes than previous scenarios. Now with the onslaught of the pandemic and the disruption that it has caused the changes by a CISO has become more exponential.
My key understanding to mitigate any risk will be user awareness because with work from home the end point is now the user and it is outside the ‘organization’s or entities’ control. Knowledge of the exceptions that have been created in your infrastructure and finally risk distancing where you should try to adopt the zero trust team work, the need for least privileges on need to know or need to access basis and constant team exercises to see how secure the network and infrastructure is.
How would you describe the expanding vistas of cyber security during these uncertain pandemic times?
For expanding vistas, it all depends on which side of the fence you really sit on. For me, I come from both role as in a chief of staff & CAO which is the business side as well as the CISO role where I am on the fence. As a CISO I see it as an increased risk mainly due to the fact of expanded area of attack. There may be insecure end points, there can be first time users of remote working or work from home without the proper training to understanding the nuances of working from home and the risk that it holds.
Being a CISO, if I see it as the risk. Then on the other side it is an opportunity for the business side to change my business model and culture. This pandemic and lock down situation has given us an opportunity to change. In the banking structure I will quote an example, “We have observed a mass digitization and that people have gone into the electronic mode of doing transactions, which was not the case even when we have underwent demonetization. So this pandemic even without forcing the people have made everyone more acquainted and familiar with the electronic form of banking.”
Other than the security challenges arising out of WFH, how as a CISO would you look at the growing importance of a BCP and auditing of the BCP?
All organizations should ideally have a BCA plan and a BCP approach which they would have also been testing and reviewing on a regular basis. Difference with this current pandemic and any other BCP scenario was that in this situation, it was not about the in availability of assets or premises or a geographic area like a city or a country. It was more about the in availability of staff and people to access all these assets and resources.
All of our systems had a 100% work time even during the pandemic. Our premise were all available for use and accessible. It was just that the staff who are required to access the premises were not available. So this situation was unique and in a global level. Most of the BCP plans had intercity or even in some cases inter country arrangements if those were multinational banks like ours. We never thought that all the countries around the world would go down so it was about that fact where we needed to learn and understand.
Within the bank the transition into this new model of working was quick and easier as we already had some areas where remote working was allowed with proper monitoring. We were able to get our entire workforce in India which is about 10,000 plus including back office processes as well as entire Global Workforce of about 50,000 staff into the remote working model with the exception of some small modules or smaller teams within a fortnight.
How as a CISO at NatWest Markets would you look at countering the cyber-security threats of the Dark Web?
I believe that that with hackers and Dark Web they have the opportunity to fail whereas the organizations do not have that luxury. What I mean by that, is if a hacker is attempting to hack a particular organization it could take hundred tries and the hacker could fail the first 99 times. If the hacker is successful on the hundredth time it will be an success. Now counter that with the organization and they have been able to revoke a threat for the first 99 times, no one says anything, but the moment you are exposed to a breach everything goes haywire. So in a way the hacker starts with a major advantage compared to the organization and the CISO.
To counter these, there are simple steps for the CISOs like continuous monitoring, outlook on potential threats, to upgrade your industry intelligence to protect your own system, etc. Try conducting threat hunting exercises in your team so that you can find the weaknesses and vulnerabilities in the infrastructure. Sometimes thinking differently is also key like having ethical hackers, ex-hackers be a part of your core team as a hacker will best know how a hacker thinks and understand the weakness and vulnerabilities and how to defend them.
To summarize, the three points will be:
1. Continues monitoring.
2. Utilize threat hunting exercise.
3. Ethical hackers.
How do you ensure the governance and regulatory compliances during this crisis period?
As a segment within the BFSI space and within banking, we have been pretty lucky in a sense that both from the government and the local regulator, which is the central bank who have been pretty liberal and have allowed for certain relaxations in both operating requirements and from a compliance perspective on procedures to be able to work from home or work remotely. So the RBI and the government have been pretty helpful on that part.
Having said that being a bank and an essential service, we have always kept our basic services available to customers throughout this crisis period because we have been working with full capacity throughout this entire crisis. Moreover as an industry it has been a consolidated effort on our part to be able to engage with the state and the regulator and understand how best we can ride through this crisis and through this entire situation. We also kept in mind that there is no compromise on customer data or information security from an organization perspective. We were able to train our users and at the same time provide few solutions and systems by which we are able to better monitor any potential breach or unauthorized access is done or not and ensure that we are in compliance of the regulatory requirements from the Government.
How important is a cyber-liability assessment today in case of cyber crisis? How would you identify and assign the responsible stakeholders?
Cyber liability assessment or cyber risk assessment we can term it both ways has always been important. It gives us an understanding of where we stand up in the curve and also an understanding of what are the exceptions. You always need to have the knowledge of your exceptions, your weak points or vulnerabilities, it always has been important but now it has been exemplified in today’s scenario. My simple take on it would be, we always need to maintain and follow a 360-degree assessment across all our stakeholders, there should not be any division between who’s more important who’s more critical from a cyber-security perceptive.
How is NatWest Markets leveraging on technologies like mobility, AI, analytics, RPA, block chain, IoT among others?
These are basically next-gen technologies that we talking about and we are actually leveraging it within the bank on both ends of the spectrum as part of our business and product development as well as customer service to be able to give better products services to our customers. We even form a cyber-security perspective. If I dwell upon on the cyber security side, then the key areas we will be looking at is form threat intelligence perspective.
We will be able to evaluate pass incidents put within the organization and outside from a threat hunting perspective to be able to scope for fresh vulnerabilities fresh risk within a setup and data analysis perspective to be able to assess user behaviours etc. There may be instances where the user may require to access something from places which unauthorisedly they may have tried to access. Nonlinear languages of AI which can be leveraged upon to be able to assess any of these analytics and RP is basically the robotic process automation which could be used for monotonous tasks and be able to free up man resources and staff to be able to do the more complex jobs within the cyber security space.
In the current scenario of WFH where people are connecting from heterogeneous devices and networks what would be your advice for CISOs on endpoint security vis a vis network security?
My simple advice CISO would be that both are equally important there is no first or second year because an insecure endpoint can ideally leave you vulnerable to threat and undo all the security work that you have put into securing your overall network. To be able to secure both your endpoints and your network it is key that you adopt a zero trust framework, which is key to securing your entire infrastructure as well as ensure proper staff and user awareness and training given that more than 80% of the breaches have been more or less internal rather than an external and within this 80% close to 95% is due to lack of awareness of stuff.