When it comes to a CISO role, we should be aware of IT infrastructure, latest technologies, weaknesses in the technology that can be exploited by the fraudsters and have to come up with a solution to prevent, mitigate or detect the exploitation at the earliest.
This is an exclusive interview conducted by Santosh Vaswani, Content Writer & Editor with Babitha BP, Chief Information Security Officer (CISO) at CSB Bank Limited on her Professional Journey.
When asked about her career path to becoming a successful CISO, Babitha BP, Chief Information Security Officer (CISO) at CSB Bank Limited, in an exclusive interview with CIO News, said, I was working in the information technology (IT) industry in CSB Bank for over 15 years. I have worked IT under various capacities and roles right from the development of the software, the networking, operational aspects of IT, etc. So, I was the in-charge of the operations, and in 2016, the concept of CISO came in the banking industry when Reserve Bank of India (RBI) issued the cyber-security framework and all banks had to comply with the circular and role of a CISO came into existence in the banks. Earlier CISO when left the bank, my management was kind to entrust the CISO role to me as I was assisting previous CISO and I was the first female CISO in the Indian banking industry.
Initially, I was confused as I was not aware of what kind of activities needed to be done, so I started working on learning more about information security and governance. Took DISA and CISA certification and attended many security sessions by industry leaders and attended CISO forum meetings. CISO role is really challenging, a lot of new things need to be done, and I had to start from scratch to build strategic roadmap as well as to form a dedicated team for Information security. In many of the CISO forums which I have attended, I was the only lady CISO, so I felt like it’s an opportunity for me to prove women community that we are good in this field and I can motivate many more ladies to take CISO role. My management was very supportive and it’s because of their trust and confidence in me, that made me CISO. When a person moves from IT to CISO role only thought process is changing, earlier in IT worried about delivering a product or service on time. Now as a CISO I have to worry about how securely the product and services are delivered to our customers.
When asked about the challenges she faced in her career path and how did she overcome them, she said, there are a lot of challenges when it comes to a CISO role. We don’t have a time, we cannot wait for something to be completed, and we cannot ask for time to do something. If we see that there is a gap in a solution, we have to fix it then and there as we cannot buy time. For example: if there is a problem with password security, as a CISO or a security person I cannot wait for a month to give a solution for that. I should come up with a solution immediately, I have to stop it and whatever technology is available in the market, I have to be aware of it and as fast as possible, I have to implement it. So, that is one of the biggest challenges a CISO or security has that they don’t have time and in this short period of time, we should be aware of the latest technologies, what all security aspects need to be taken care, even if there is a new technology, is there any loop-hole in the technology, so we have to learn new things every day because if I know about a particular technology, then only I can see what is wrong in that. So, we should be updated with the technologies going to get implemented in the organisation, risk in that technology, and have to come up with a solution also. CISO should make sure that business team should be made aware that we are not the show stoppers and whatever actions we are suggesting is for the good of the organisation and for achieving business requirements. So CISO’s should explain clearly what are the implications that might arise if we are not fixing a gap and how we can do it and how it will help in the business also. So, these are the main challenges when it comes to playing the role of CISO and we should be ready to learn and adapt to changes according to business needs. A person who does not have an ambition or an aspiration to learn new things, I ask them not to come to this field. Every day we might come up with challenges and every day will be a new learning for us.
When asked about her opinion about the cyber-attacks happening recently, she said, lot of cyber-attacks are happening, which were there earlier also, but the frequency of attacks was less. Now, during the COVID times, there has been a sudden movement to the digital field, and that sudden movement of adoption of technology will have some loopholes in it. These loopholes are exploited by the attackers to get into the system.
The second thing is cyber frauds are happening especially in India and the number is increasing. Earlier only 15% of the population was using digital channels for their transactions and those were the educated class of people. But, during these COVID times, everyone suddenly moved to GooglePay, PayTM, and all kinds of digital transactions. In such scenarios, who is taking care of the loopholes. And fraudsters are looting people by exploiting their unawareness in using digital channels. Now banks are taking necessary steps to educate customers about various modus operandi of cyber frauds to caution them from falling prey of the same.Now the Government has come up with guidelines for payment gateways and service providers to take care of security aspects of these kinds of transactions. So, when we are going for such kinds of digital technologies, the primary thing is that we have to educate the customers on how they have to use it and what all data can be shared. So, the education and the awareness part for the general public are very much required when it comes to cyber fraud. Cyber fraudsters will use all kind of technologies and more sophisticated methods to get into our systems. So, we should be much smarter than the fraudsters by thinking in a way that fraudsters are thinking and coming up with a solution to defend.
She said CISOs can overcome these challenges by creating awareness among employees and customers, which is the first thing and Security gap assement need to be done at the design on initial phase of a project so that any gaps identified can be fixed before the roll out of the solution. CISOs need to build a cyber-security culture in the organisation. So, everyone will understand the importance of security and understand all the controls kept is for good of the organisation. Frequent review of the security tools need to be done and ensure the purpose of the tool is met efficiently.
When asked about best practices/industry trends/advice she would like to suggest to fellow CISOs for their successful professional journey, she said, I am mentoring many people and I have seen many fresh graduates who want to come into the security field, I warmly welcome them, but I would advise them that security is nothing but IT or auditing of IT. So, first, we should have a basic idea about what IT is? When it comes to a CISO role, we should be aware of network, architecture, software development, etc. All this should be known to us, and then only we can find the loopholes. So without having any idea of IT, don’t go for a security role.
She said that the only point I would like to highlight is that get the basic idea of IT and then come to Information security role. For the newcomers, I would suggest is that they can join some company as SOC analyst so that they can analyse and learn about the network infrastructure and the application structure and once the person works in the security operations centre for two to three years, he/she will get a rough idea.
So, newcomers should take up such roles after that they can do some certifications programs which will help them in their steady growth.
And, to be a successful CISO, they should be observance, have introspective skill, solution provider and ready to learn and be prepared for facing new challenges and good in multitasking can come to the security field.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics.