/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/media_files/h5dsFqa4e7YBAfw98mf4.jpg)
CISO
In an insightful one-on-one conversation, we delved into the nuanced world of cybersecurity with Ratan Jyoti, CISO @ Ujjivan Small Finance Bank.
Ratan Jyoti shares his experiences, imparts wisdom, and demystifies the intricacies of cybersecurity in the ever-changing banking landscape. Excerpts from the interaction…
As the CISO, what methods and best practices have you put in place to protect the data and cloud infrastructure of Ujjivan Small Finance Bank?
Adaptability is the key: At Ujjivan Small Finance Bank Ltd. we have safeguarded the bank’s assets from the ever-evolving cyber threats by establishing a holistic information and cybersecurity infrastructure as well as by promoting information security within the organization. I am a member of National Level Team, change control board, IT strategy and ORM committee and a part of the committee shaping the future of the bank regarding security in the growing threat landscape.
As a cybersecurity professional, one needs to keep pace with change – be it new technology, regulation, or threat. By being adaptable, we have proven to be successful. We have successfully implemented highly complex and secure architecture at the bank with the usage of next-generation technologies and solutions like AI/ML, Data Analytics, Web3.0 and Zero-trust.
A CISO today should…
• Rather than just detection and prevention focus more to establish cyber resilience.
• Keep learning from peers ‘mistakes and from your own mistakes.
• Position cybersecurity as a business accelerator.
• Should adopt policies, procedures, and guidelines that address the full continuum of security risks and threats.
• For cloud security the CISO should stick to five basic principles – Data encryption, complete visibility, privacy controls, continuous monitoring, and incident response plan.
Data residency across cloud services creates complex choices in regard to balancing business needs against growing risks to provide adequate data security and compliance. Your thoughts, and how does this impact functionality?
Banks around the world grapple with the task of meeting compliance and passing audits and at the same time ensure there is minimal hindrance to the business. For banks in embracing cloud, it may not be easy to migrate to the cloud environment as Indian financial markets are the most regulated environments and making a balance with the technological advancements along with the regulations is very cumbersome task.
For Cloud security the CISO should stick to five basic principles – Data Encryption, complete visibility, Privacy controls, Continuous monitoring, and incident response plan.
Major regulations from the regulators in terms of financial guidelines are: -
• Key management should be done by the regulated entities.
• Data localization, suggesting the residency of the data within the restricted geographical area.
• Business resiliency for both CSP and the bank.
• SLA’s for the services being rendered.
• IAM shall be made available to the customer by CSP.
• Logs monitoring from the customer side and many more.
• Backend updates monitoring.
• Network segregation.
So, considering such regulatory aspects, the bank should choose the Cloud Service Partner which is the best in terms of security and the reputation provided balance shift between security and functionality.
How can the CSP (Cloud Service Provider) help banks in managing between business and regulatory advices?
• Customer-managed keys allows banks to choose from the list of locations and provides flexibility.
• SLAs for different services are shared by Amazon before getting into engagements.
• IAM availability.
• Allows us to consume logs to on-prem/Cloud SIEM solution
• Flexibility to push database logs to on Database Activity Monitor solutions.
• Scalability
Balancing adherence to guidelines and promoting business can pose a challenge in managing both aspects effectively. Banks must treat Customer convenience and security the objective when choosing the Cloud solution.
The dynamic nature of the cloud can add an extra layer of complexity, which leads to significant drain on time and resources. Since one of the major drawbacks in the cloud structure is visibility and the data may travel outside to the Indian boundaries, Banks should restrict the same in terms of legal ways by terms of agreement.
In terms of Data privacy and leverage SaaS based platforms, Banks can evaluate the tokenization concept to prevent customer data with the support from the Cloud Service Provider.
What part does threat hunting play in Ujjivan Small Finance Bank’s overall cybersecurity strategy and how does it help with the early identification and avoidance of potential cyber threats?
Threat hunting is a proactive approach used to identify unknown, undetected, and non-remediated cyber threats in the organization’s network. These threats can compromise the automated defence systems resulting in a cyber threat. Cyber threats are identified using threat-hunting methodologies and techniques such as automated threat detection. To tackle the same, Ujjivan has implemented a state-of-the-art SOC team which consumes and performs threat intelligence.
We follow a proactive ideology and do not wait for an alert to generate or an incident to happen. We identify and collect required logs to contextualize threats and attack surfaces. SOC anticipates imminent threats, weighs up, updates and fixes and has an effective detection capability against the changing adversarial landscape. We have adopted an agile and automated incident process.
CISO should have the key skills to balance between business and the risk, the controls should not strangle business and should not be loose enough to make it accessible for every malicious user,
We are using multiple ML models to detect the ‘unnoticed and undetected’ threats. These models using historical signals teach the systems and help in anomaly detection. Signals like network traffic, system logs, and user behaviour are input to these ML models which in turn detect the anomaly which are possibly threats that might have gone unnoticed using other security systems.
Could you elaborate on the importance of cyber defence mechanisms in the context of the banking industry, and what measures have you implemented to enhance Ujjivan Small Finance Bank’s cyber defence capabilities?
USFB incident response and management policy is based on the regulatory cybersecurity framework and it clearly signifies the path for an effective response management:
• A play book-based incident response system.
• Defend framework is based on prevent, detect, analyse, act and learn principle
• A clearly defined role, responsibilities and SLA for all stakeholders with a clear workflow.
• Forensic driven Incident Response System.
USFB incident management on a network (on a sample basis) can be broken down into five steps, these are:
• Identify persistent communication channels leaving your network.
• Analyse the protocol being used.
• Identify and evaluate the internal host originating the communications.
• Scrutinize the reputation of the destination system.
• Disposition the incident.
Security Operation Centre Process:
• Early identification.
• Triage events for threat detection.
• Risk-based prioritization.
• Detailed analysis of events (automated and manual).
• Defined workflow-based remediation process.
• Realtime system reviews.
Besides this building comprehensive visibility across the entire infrastructure including the cloud, data leakage prevention strategy, continuous network monitoring, and supply chain controls are other important factors to consider for cyber defence.
Can you share some notable incidents or challenges you have encountered during your tenure as a CISO, and the lessons you have learned from them in terms of improving cybersecurity practices?
Since humans are the weakest links in a rapidly evolving threat landscape, training and making them aware of the threat is one of the challenges being faced by us as an organization. However, we were capable of doing so with our efforts and continuous awareness sessions.
Not specific to Ujjivan but challenges are manifold for the industry:
• The first challenge is diverse solutions not talking to each other so the organisation should develop complete visibility across sources.
• Skill shortage to manage multiple solutions is a common problem. Partnership and skill development are the fundamental solutions organisations should evaluate.
• When attackers are seen using advanced automation defenders must use automation and new-generation technologies like AI/ML.
More importantly, security cannot be a roadblock, it has to be a business accelerator and so security should not only be a technology issue but a business issue.
In your opinion, what are the key skills and qualities required to be an effective CISO in today’s rapidly evolving cybersecurity landscape?
The CISO plays an important role in strategic decision making, including mapping product road maps, complying with number of regulations, ensuring the business securely embraces digital transformation while assuring the board, customers, and other stakeholders that cyber capabilities fit for the purpose. The CISO position is equally challenging and has rapidly evolved from a purely technical role to one that requires interpersonal skills and in the ever-growing landscapes of the cyber world and the threat structures one has to continuously improve their resiliency structures.
A CISO should:
• Have Strong communication skills to communicate to the board, regulator and other stakeholders.
• Should play the role of a connecting link between the regulators and the bank
• Should be a brand ambassador for all digital innovations.
• Should be a strong leader with strong team-building skills.
• Technical expertise, proactive mindset, and strategic thinking are other differentiating traits.
• Be a continuous learner.
A CISO should have the key skills to balance between business and risk, the controls should not strangle the business and should not be loose enough to make it accessible for every malicious user.
CISO, Ujjivan Small Finance Bank
minus@cybermedia.co.in