Calling the ‘Security’ Shots

When we talk about growing information security threats, the financial services industry appears to be the most vulnerable among all other industries, considering the humongous amounts of highly sensitive customer data that it deals with. With financial services companies opening up a range of new channels to their customers, they have added to their own security risks by leaps and bounds. Any information breach can cost a great deal not only in terms of monetary losses but also can do irreparable damages to the company's image and reputation. What needs to be monitored and what not? How to strike the balance between security and accessibility? These are puzzling questions facing the industry, and as the head of the security function, the CSO is the best person to answer these. Here we try to get the answers from Parag Deodhar, Chief Risk Officer and CISO, Bharti AXA General Insurance. Excerpts

Reports from leading consulting firms suggested that security threats to financial firms will be on the upswing in 2014? How far has this been a reality? How is the CSO going to fight this out?

Financial firms have always been targeted for obvious reasons and will continue to be high on the list for cyber security threats. With the changing technology landscape, we are seeing new threats emerging and CSOs will be challenged even more. CSOs need to continue to be ever alert to identify the changes in their business and IT architecture to pre-empt the threats and put in place counter measures. In line with this, we are focusing on a detailed security assessment and controls implementation program this year.

What are the biggest challenges relating to security in the financial services space in a scenario where digital channels continue to evolve? Which area in security, do you think, is right now the most critical?

With increased focus on digital channels by companies, compounded with the complexity of mobile access and social media integration, the security challenges increase manifold. The regulations related to data privacy are also evolving and we will see increased requirements for security in this space. Security for mobile apps is one of the most critical areas in my view. Our security team is working closely with the digital team to ensure that the safeguards are in place for our digital presence.

With more stringent regulations on customer information security coming up, how are companies ensuring they walk as per norms and keep security at the forefront of their objectives? Also regulatory norms could be different for different geographies, so how do you overcome this challenge?

Yes, the regulations related to customer data privacy are evolving and I expect much more stringent requirements being prescribed. This is absolutely necessary as well from a customer point of view. There is a lot of focus on compliance to these regulations by the companies and CSOs need to keep track of these requirements. They also need to apprise the senior management of the consequences of non-compliance as any data breach could have a major impact on the company's reputation and lead to hefty fines and penalties. This would have a direct impact on the company financials as well as stock prices. For multinational companies operating in different geographies, the challenge is bigger as they need to comply with multiple regulations and need to keep a close watch on the changes in laws and new requirements. CSOs need to collaborate with the legal and compliance teams to keep abreast of all these requirements and have a dedicated team to comply with it. As CRO and CISO, I work closely with the business teams and legal & compliance teams to understand the business requirements and also the regulatory requirements and incorporate it in our security architecture.

In the financial services sector, there is extreme need to maintain internal control environment and third party information security. The CSOs have the big responsibility of ensuring that data or information is secure from threats that can be external or internal. How do they tackle this?

The job of the CSO has become even more difficult in terms of ensuring that all data is protected. The reason for this is that today data no longer remains within the perimeter of the company. Data is now stored with various service providers, in the cloud, on mobile devices etc.

But this cannot be avoided as it is a must for being in business in this competitive environment. Also, the threats are both external and internal. CSOs need to use combination of methods like encryption, advanced authentication mechanisms, mobile data management, data loss prevention tools, and document rights management tools to protect the data lying in various places and moving through a variety of media. We have implemented many of these controls and are evaluating some other security tools and solutions to enhance our security posture.

A PWC report states that regulatory compliance remains the top driver for security spending. But a security model centered on regulatory compliance may not address evolving security threats. What is your take on this?

Regulatory requirements provide the baseline or the basic minimum standards-it has to be complied without any compromise. However, each company has its own business model, operational processes, and IT architecture. It may require additional controls to mitigate the threats arising out of these processes. In my opinion, it is important for every organization to conduct a thorough risk assessment for their business processes and technologies to identify specific threats and select the right controls in line with their specific security needs.

These controls may be much higher than what may be prescribed by the regulations. The risk assessment needs to be done frequently depending on the changes in business models, processes and new technologies, and the controls need to match pace with the emerging threats. The regulations may not change as frequently and if the security model is based on regulatory compliance alone, the company will be vulnerable to new threats for that period.

What is the role of security analytics in addressing security threats facing the financial services industry? Do you see this coming up strongly?

In today's technology environment, the amount of data generated by the IT infrastructure including server logs, network logs, security logs from Anti-virus, DLP, firewalls, IPS/IDS and applications is huge. To understand and detect new threats like targeted attacks and APTs, it is important to correlate all the logs and generate meaningful reports. This can only be possible with security analytics. Otherwise, CSOs will be flooded with data and it would be very difficult to identify and mitigate the risks. Going forward, I see security analytics playing a big role in the security model for financial services industry. We are working on some security dashboards which will provide actionable intelligence for the stakeholders.