“We are producing technocrats and not engineers” says Julen C. Mohanty, Asst. Vice President (AVP), IT & Risk Security Management, JPMorgan Chase. In an interview with Sanjay Kumar of CSO Forum, he brings out the key areas of his focus in 2015 with emphasis on BYOD and Big Data Analytics.
How do you see the threat landscape evolving in 2015?
The biggest challenge is knowledge management. There is a huge shortage of skilled labour who can understand the concept of cyber security. The problem is not new, but as the industry has expanded, it has become quite visible know. We are producing technocrats and not engineers. These technocrats have an engineering degree with zero security basics. Moreover, the people are not having much interest in cyber security or risk management.
Will the role of CRO (Chief Risk Officer) gain importance in 2015?
The function of a CRO in 2015 will become almost equivalent to that of CIO. The CRO has always been an essential requirement for their vulnerability assessment of an enterprise. The risk-factors cannot be reduced to a null, but probability of occurrence can be condensed considerably. Thereby, CRO has a huge potential and will be a main player in augmenting the perfect secured architecture with CIO.
What specific challenges do you foresee for your enterprise?
The biggest challenge for my company is BYOD. It is amply clear that BYOD augments productivity & employee satisfaction. But at the same time it impacts the security parameters. On this account, the increased productivity versus security threat is the key problem. The current generation which comes to the office with latest mobile sets has no knowledge of security risk, which comes attached with these devices. Therefore the challenge further multiplies with educating them on foolproof security parameters.
Do you think that security basics are still relevant today or a change is needed in the security practitioner’s approach?
The 90 percent breach of corporate data occurs when the basics are ignored. The Trojan virus is still as lethal as it was a decade back. We have arrived at this situation since there is too much reliance on technology and not on people. The approach to be followed is to understand the fact that technology is just an assistant. Simplifying things will help achieve our goals.
How effectively have you deployed BYOD policies in terms of multiple devices with their specific operating system?
Our strategy is very simple. We plan to take each platform as a separate BYOD. For us Android is one BYOD and Apple-based devices are another. That is our strategy for this scenario.
Which MDM (Mobile Device Management) strategies have you deployed in reference to BYOD? Is sandboxing architecture part of this?
Currently, we do not have an MDM in place. But we are planning to implement it soon. As of now, we have an application called ‘GOOD.’ This Application gives you controlled access to your profile and various applications. It is based on two factor identification system. In this architecture, one password is generated from the machine end, and the other is employee’s password. Only when both match, can an employee enter the mainframe system. Therefore, this is based on both-side recognition mechanism. But once the MDM is implemented, the entire architecture will become robust.
On the other hand, sandboxing is a high level architecture. For shifting to this level of complexity, first our basic level needs to be corrected and co-related. Only then can we implement the sandboxing techniques.
A lost or stolen mobile device can potentially compromise corporate data? How do you plan to tackle this situation?
We have a standard operating procedure (SOP) once the device is lost. The time he/she losses it, they just have to register a complaint regarding the loss (with entire detail) to the number 1818. Simultaneously, we will wipe out the entire company data from the cloud architecture. Time frame for deleting the data varies from 15 seconds to 15 minutes.
What kind of educational or security awareness programmes do you organize for your staff?
Yes, we are running security session for our employees. The application GOOD is only installed once the employees have passed the mandatory screening test with minimum 80 per cent. Also, the system is based on the hierarchical needs of the organization with AUP (Acceptable Use Policy) being part of this entire scheme.
We are also planning to start a process asset library, where employees would find relevant books and subjects for their professional growth. For example, a fresh B. Com graduate can take the help of library in understanding concepts of micro and macro economics. Similarly, the focus would also be on the security parameters.
A lot of discussion is going on Big Data and Analytics. What is your take on Big data and analytics from a security standpoint?
This is one of the most important agendas for our company in 2015. Being a finance firm, Big Data Analytics is significant for us. On the security front, we also are planning to deploy this architecture to look into activities such as vulnerability threats, source of threat, its location and various patterns associated with it. With time, Big Data will become huge part of our network and risk-assessment analysis.