From The Desk Of CISO

The defense of any organization against cyber threats depends upon the robustness and effectiveness of their cybersecurity posture which comprise of People, Process and Technology. The bank has implemented a comprehensive layered security posture with controls like Next generation firewalls, Web & Email security gateways at the Perimeter, Controls like Endpoint Protection, Endpoint Detection & Response and File Integrity Manager are at the Endpoints. Database & Applications Security controls including Cloud based Web Application Firewall are also being implemented. Privilege Access management solutions are in place for monitoring and tracking of administrative activities.

Apart from these controls on Information assets, the bank has established 24/7 Security Operations Center for monitoring and management of cybersecurity incidents. The bank is PCI DSS certified for the last 3 years having strong processes and controls over cardholder data. We have recently formulated a cybersecurity awareness program and have plans to conduct this program for our staff and customers through a knowledge-based cloud platform as People is the weakest link in the chain of cybersecurity.

How would we tackle with non-state actors …black hat hackers?

Dealing with non-state actors in cyber space is a challenge for states experiencing large-scale cyber attacks launched by such actors. Especially since more and more state actors seem to be hiding behind so-called independently operating non-state actors, it is important to get more clarity on how states could respond to such actors.

To protect the Organization’s Information Assets from these Threat Actors, I would again lay emphasis on developing and implementing an effective and layered security posture strengthening your People, Process and Technology.

How do Black Hat Hackers Damage the System?

Black Hat hackers are criminals who break into computer networks with malicious intent. They may also release malware that destroys files, holds computers hostage or steals passwords, credit card numbers and other personal information. These threat actors typically engage in cyber crime operations and use hacking for financial gain, cyber espionage purposes or other malicious motives.

While hacking might have become a major intelligence gathering tool for governments, it’s still more common for Black Hats to work alone or with organized criminals for easy money. The WannaCry ransomware released in May 2017 is one example. Within the first two weeks of its release, it infected approximately 400,000 computers in 150 countries. Fortunately, security experts released decryption tools within days of WannaCry’s appearance and their fast response time limited extortion payments to about $120,000.

Do you have all the information that needs to oversee cyber risk?

The main responsibility of the CISO is to provide maximum visibility to the organization in terms of its threat landscape. This is a continuous process and one cannot be sure about having complete information or visibility to oversee cyber risk.

Here Cyber Threat Intelligence (TI) plays an important part with relevant intelligence to the country and especially the financial sector to manage cyber risk.

Following are some key factors for managing cyber risk effectively:

1. Monitor the risk environment
2. Monitor data assets
3. Implement an incident response plan
4. Gain management support
5. Third Party / vendor Risk Management
6. Build strong external relationships
7. Enforce security protocols
8. Evolve with the technological environment
9. Ensure you comply with the relevant regulations
10. Invest in security awareness

How effective is your cybersecurity strategy at addressing business risks?

While developing cybersecurity strategy for the bank we had two considerations in mind. Firstly, we conducted a gap analysis of what is missing in terms of People, Process and Technology benchmarking international standards and Industry best practices. Secondly, the strategy had to be aligned with our business goals and objectives. Finally, a comprehensive strategy was an outcome both with shortmedium term and long-term specific goals.

This whole process ensured that nothing was left out and provided us complete visibility of what was required at addressing business risk. We believe that we have made a rightful strategic plan which is effectively meeting business requirements against security risks.

How do we protect sensitive information handled and stored by third party vendors?