Rajesh Thapar, CISO, Axis Bank: Unpacking the holistic approach to security

Research shows that financial companies experience cyberattacks 300 times more than other industries – highlighting how attractive and lucrative a target they are to cybercriminals. Rajesh Thapar decodes some of the complexity in devolving a comprehensive cybersecurity strategy.
Sneha Jha
  • Updated On Oct 3, 2022 at 10:43 AM IST
Read by: 100 Industry Professionals
Reader Image Read by 100 Industry Professionals


It’s a digitally connected financial ecosystem. But is it a secured one? Quite the contrary.

The more digital you become, the more exposed and vulnerable you are.

The Union Minister of State for Finance Bhagwat Karad informed the Parliament in August that Indian banks reported 248 data breaches in the last four years. Of the total 248 data breaches, 41 were reported by PSBs, while private sector banks reported 205 data attacks while foreign banks faced two.

Research shows that financial companies experience cyberattacks 300 times more than other industries – highlighting how attractive and lucrative a target they are to cybercriminals. The havoc created by the Log4j vulnerability, Emotet banking trojan, NetWalker ransomware, and the Cerberus financial trojan are still fresh in public memory.

Advt
If findings from the 2022 IBM Cost of a Data Breach Report are anything to go by, the finance industry had the second highest average cost per breach, trailing only health care. BFSI organizations averaged $5.97 million per breach.

When it comes to security, you can’t be too careful. Which is exactly why you need to adopt a holistic approach to managing security across the entire environment.

Trouble is, the pieces of the security jigsaw puzzle are constantly moving and changing shape. So how can you put them all together?

ETCIO spoke with Rajesh Thapar, CISO, Axis Bank to unpack the tenets of a holistic approach to security.

When it comes to security you are at the mercy of your preparation. And that said the buck stops at the CISO. How are you looking at a holistic security cover against threats? How do you ensure that the organization, employees and customers are all protected?

The first step to holistic protection is to know all your risks. If you don’t know what to protect you will end up with a larger gap. In the security domain, the unknown unknowns are the greatest worry. You need to reduce the unknowns to near zero and for that you need to run a lot of risk assessments and threat assessments on a continual basis.

Advt
It's important to keep discoverability to a minimum. Once you know maximum only then you can draw out your plan of action.

Once you know your risk cover you must make sure that every stakeholder within the organization is with you because the CISO left alone cannot protect the enterprise. It is important to create a cyber risk culture where every stakeholder is made accountable. Cyber awareness should be disseminated to every person who matters in the systems.

Communication, upskilling, and a top-down approach is required to build this culture.

It is also important to adopt a security-by-design approach in every product, process and project that is coming up. This helps create a holistic security environment.

The next step for a holistic framework is a cyber resilience plan to ensure that if something goes wrong you can contain and recover.

The other important thing is that you should keep challenging your own controls. What was effective and enough yesterday is not so today. The risk appetite, digital footprint, threat landscape, attack vectors, digital ecosystems are changing every day.

Banks have invested in network security, endpoint security and cyber security. But there is a lack of visibility and observability across all siloed parts of security. How can they deal with the challenge of silos and lack of visibility through the attack surface?

Over the years, several tools were added to the environment as a reaction to something going wrong within the organization or any other organization in the landscape. This challenge snowballed as security evolved.

The purchase of security tools and technologies and adoption of policies were a result of the incidents that were happening elsewhere. A lot of point in time tools got embedded in a lot of organizations.

In isolation they did what was demanded of them. But when the interplay of digital systems and tools got extended beyond the perimeter of the organization to partners in the digital ecosystem, those point in security tools became difficult to manage.

Integrated security is a big ask. This is going to play a major role. A lot of initiatives will be run around it. Security consolidation is required for visibility to reduce unknown unknown.

A bank’s cybersecurity is as strong as its weakest link. How do you work with third party suppliers and ensure that they are also at the same level of security and compliance?

Third-party information risk assessment has always been a core of security programs. But now with fintechs, gov organizations, and e-gov portals getting a big play there is a scope for a lot of issues to creep in because of the compromised infrastructure on the other side. So it is important that you classify this information.

Classify the vendors and the kind of exposures that could come from the partners. If it’s a software developer then the checks would be different. If there is integration through APIs the checks are different. If it is a service provider who is rendering services directly the checks are different.

So, classification is critical. There is no one-size-fits-all from the checklist assessment perspective as well. You need to document your risk and put your due diligence where you can.

When you are integrating with your own environment it's important to see if you can have a toll gate for the traffic that is coming in from the other side.

Do you know who is accessing it from the other side? Can you trust the device? Can you trust the user? Are you doing a revaluation there? Those are some of the questions you need to ask to contain the environment where they have access.

You need to have intelligence over your partner’s controls. A one-time assessment does not ensure that the partner is good at the controls. It's not about point in time checks. You need to have continuous visibility. As banks we all extend APIs but how certain are we that only the APIs we have authorized them to consume are being consumed. There can be surprises.

So, we need to have visibility of API discovery. We need to rethink our mechanisms and defenses. If you know what Key Risk Indicators to measure you will know whether you are improving or deteriorating and that visibility is also important to chart out your plan of action.

The vendor risk assessments are important but these are all point-in-time checks and they have limitations. The partners have to meet a certain level of compliances that the bank would have on its side. But it’s only a declaration and you will not be able to ensure that the vendors are routing their changes through you all the time.

Banks should collaborate amongst themselves and evolve a standardised checklist so that vendors can adhere to that minimal baseline. This will help us bring to light control weaknesses.

And there should be an accreditation mechanism for some of these partners. Service providers should get certification for a minimum security control at a certain level only then they should be empanelled in an organization. This will help put accountability on the vendor. Today the onus is on the regulated entity. But these controls can tighten up the system much better.

How do you ensure that your framework stays up to speed despite changing threats and skillset issues?

The framework is much easier to control. It has to be agile in keeping with the policies, and industry feeds coming from the industry, the regulator, threat intel partners and global incidents all this helps identify what are those controls that you should add into your framework. The NIST framework is the bible for most of us for creating a cyber security framework. But when it was introduced in 2016 it didn’t factor in ZTNA and how it gets embedded in the cyber security framework.

So, keep the framework agile, and flexible and keep revisiting it, on the basis of the digital partner framework. Banks should take the intelligence they have from various sources and then work it out and test it out to see where the gaps are. They should do red team assessments and challenge the controls and keep changing to make the framework up to date.
  • Published On Oct 3, 2022 at 10:43 AM IST
Be the first one to comment.
Comment Now

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis.

Download ETCISO App

  • Get Realtime updates
  • Save your favourite articles
Scan to download App