Vishal Salvi, Senior VP and CISO, HDFC Bank, calls for all the banking CSOs to come together and make a framework wherein they can approach and overcome security issues collectively.
The frequency of large attacks has been increasing. The common reason for these attacks is third party lapses. Vishal Salvi, Senior VP and CISO, HDFC Bank, feels it is time enterprise information security leaders collaborated to tackle this menace.
“The common thread around all the large attacks in the recent past is a trusted third party. It is not your system. We have a challenge of trusting third party vendors. The challenge is not because there is no intent on the CSOs part. The challenge is because there is ignorance,” Salvi said while delivering his presentation on ‘Security in Transition.’
“There are very few merchants who are today compliant. It is important to engage the service provider and merchant communities. It needs institutionalized changes not in terms of individual CSOs taking a silo approach. It needs a collaborative and industry-wise approach,” he said.
“For instance, all the banking CSOs should come together and make a framework wherein they can approach collectively. Today, when I approach a merchant and ask him to be compliant, he can simply approach another bank. So, since the banks don’t talk to each other, merchants take advantage of this situation. The need of the hour, therefore, is to get the CSOs and the business people together because these are the people who are doing the merchant on-boarding and are different from CSOs. The first challenge is bridging this gap and then going collectively,” Salvi said.
“Some progress has been made in the last eight months wherein we have created a forum wherein CSOs and risk managers are meeting and are trying to drive the agenda together. There is so much of collaboration happening in industries across the US. There is no reason why we can’t have it in India. 9.9 Media through its initiative of CSO Forum is also helping towards this cause,” he said.
On the changing dynamics of security, Salvi said the emerging areas of social and mobility were posing a serious challenge for CSO.
“The issues of mobility and social have been around but the push from the management to embrace this wasn’t there. It is now that we are seeing a real push from business to make sure they are leveraging these channels to engage with the customers. It is creating a challenging situation for CSOs. Social is one area which is seeing so much compromise happening. It is dilemma as to how we can allow businesses to use social and mobility and at the same time ensure security,” he said.
“For this, a CSO needs new solutions, technology and out-of-the-box thinking. He also needs to be assertive and ask the business to go slow,” he said.
Salvi also cautioned CSOs on shadow IT and opined that it was necessary for them to build processes and controls along technology.
“The moment technology gets by-passed, all the triggers meant for securing the enterprise don’t get activated. So you need to find out how the businesses are engaging and building those solutions. Given that technology is getting by-passed, it is important to build a cloud governance model and build a change management model around it. This is one of the biggest challenges for security professionals because security as we know it and security as we do it is passé,” he said.
“Advanced threats are another serious problem. Today, we are barely able to stop them. Unless we upgrade our technology and get insights into what is happening. Our response is extremely slow,” he said.
“I see security evolving into more agile, more dynamic and being able to have more direct access to technology. Traditionally the approach has been top down – we look at policy, controls and then how start orchestrating all the technology. This is a slow approach. The bottoms-up approach is also important wherein one starts looking at technology to give get information on a more real time basis,” Salvi added.