1) Ensuring proper technology risk management is established to satisfy regulators and business partners
2) Data loss prevention strategies across the enterprise
3) Secure Access control and management, especially for third party service providers
4) IT Governance, Risk Management and Compliance (GRC) to automate the security governance and compliance process
5) Identity management across all critical applications
6) To see a Business Continuity Management (BCM) system framed and implemented across the Bank
Timbrell: What do you see as the top IT security risks facing banks in India right now?
Ratolikar: Top security risks faced by banks in India include unawareness among customers and users about emerging cyber threats, basic hygiene of information security and sensitive data leakage knowingly or unknowingly. In addition to this, identity theft-related attacks are also on the rise.
Timbrell: What is Bank of India’s position on cloud computing; and how are you managing associated security risks?
Ratolikar: We are enthusiastic about cloud computing with regard to seeing how IT services are delivered in a cloud. We feel that as the concept is new and yet to mature, we will use it for some services like email and web while making observations, test the performance and then we may go for a private / hybrid cloud.
The talent pool of service providers, data privacy, Business Continuity Planning (BCP), jurisdiction of data storage and legal issues are all risks to be managed if one decides to opt for cloud.
Timbrell: What technology innovations and trends do you feel are shaping the future of banking in India?
Ratolikar: Technology innovations in the banking industry started in India almost eight years back in the form of core banking. I feel the following services will shape the future of banking in India:
• Internet banking (in use since 2000 but growing rapidly with innovation)
• Mobile banking
• KIOSK banking
• Integration of the ATM networks of all banks
• Financial inclusion using smart cards for rural masses (door step banking)
• Single view of the customer using business intelligence
Timbrell: Global consultancy firm Boston Consulting Group (BCG) recently predicted mobile banking and payments transactions in India would reach US$350 billion by 2015. From a security perspective, how are you preparing for this surge in uptake of banking using handheld devices?
Ratolikar: Today we have more mobile handsets than bank accounts in India. So the penetration of mobile phones is definitely being leveraged to provide banking services. But like any innovation brings with it some risks, mobile / handheld systems are no exception.
We have to address the risks arising from such “consumerised devices,” using a standard framework of People, Processes and Technology. We are educating users continuously via our Intranet Portal, conducting ‘Security Weeks’, engaging on policy compliance etc.
A centralised access management system is being deployed to see that all connections to our applications via these handheld devices are identified, authenticated and then authorised. Digital Rights Management and data leakage prevention solutions are also being evaluated to prevent data leakage via these devices and other end points.
Timbrell: Phishing and vishing attacks are on the increase across the region. How is Bank of India dealing with this increased threat?
Ratolikar: Although there is no one-size-fits-all solution to tackle phishing and vishing, one of the most effective ways is deploying a ‘Two Factor Authentication’ solution. We deployed the 2FA solution two years ago and are happy to witness near-zero incidents. In addition to this technological solution, creating awareness among users about these attacks is extremely important. We are promoting awareness via radio channels, newspapers, periodical SMSes etc.
Timbrell: Does Bank of India currently deploy Information Loss Protection (ILP) capability and how do you protect from leakage of sensitive data?
Ratolikar: Information Loss Prevention capabilities and strategies start with education and framing the right policies focusing on the impact of data loss, regulatory concerns, legal acts etc. We have done all these things. Now our focus is on a technological solution in the form of rights management and Data Loss Prevention (DLP). We have started deploying Information Rights Management in the Bank. Once this project is over, we will look for the right solution to achieve comprehensive DLP.
Timbrell: How far ahead do you plan your IT security strategy; and why?
Ratolikar: It would be difficult to name the exact time frame for planning IT strategy. Our IT strategy is influenced by the outcome of regular risk assessment exercises on our information assets. We conduct the exercises and based on those results define and amend the strategy.
Our IT security strategy is always aligned with People, Processes & Technology and mapped to Confidentiality, Integrity and Availability of Data. Similarly, whenever any new projects are rolled out to customers, they have to go through our risk assessment exercise.
Timbrell: What skill set do you seek out in prospective team members?
Ratolikar: I seek team mates with the right attitude to learning, good analytical skills, clarity of thought and an appetite and interest in security.
Timbrell: When your time as a technology leader draws to a close, what would you wish to be remembered for?
Ratolikar: A CIO with leadership and motivational qualities and a great risk manager who transformed IT from a cost centre to a profit centre.