Adopt new tech, but proceed with caution: Vijay R, Mahindra & Mahindra Financial Services

A cybersecurity veteran with over 20 years of experience across government, defense, retail and banking domains, Vijay Radhakrishnan is a strategic business security thought leader with digital transformation as the guiding light for his approach towards IT governance, risk, security and compliance.

In an interaction with CSOOnline, he reveals what it takes to keep a financial organization secure amidst global threats and compliance roadblocks.

What is your organization’s cybersecurity strategy based on? Preventive or reactive or both?

In terms of security there is always the unknown. Generally, a cybersecurity expert will talk about 4 things – known known, known unknown, unknown known and unknown unknown. The last two are always interesting. Security does not mean just putting on firewalls anymore. It has to be a layered approach across all layers – physical, application, network etc. You need to have controls everywhere and go for a hybrid model.

Then insider threats are also a big headache for organizations. Technologies like machine learning and artificial intelligence can help in catching these things before it becomes too late. Also, most of the privilege usage accounts have to be continuously monitored or monitored for anomalies as they are targeted the most.

In the case of a breach, whose responsibility is it – the CIO or CISO?

I’d say it is the responsibility of both. In certain situations, the CIO or CISO might end up in an argument but it can be a healthy argument which is better for the health of the organization in the long run. Ultimately they act like a team in the case of a crisis.

RBI has mandated banks to link SWIFT with CBS and released a list of 9000 NBFCs that were found to be high risk. What is your opinion?

SWIFT is ultimately one instrument through which international transfers take place. For banks, whenever funds are transferred it means it has to physically exist somewhere – either in paper form or in the ledger. Banks have made a huge fundamental mistake by not integrating their systems with the network. They must do it as soon as possible.

In the case of high-risk NBFCs, there are certain measures which can be deployed (from a loan perspective). Obviously, there has to be a level of stringent assessment before granting loan to high-risk parties. Subsequently, loan repayment should also be monitored. It should be assessed whether the money coming back is through a normal payment mode, or coming in unusual bursts. RBI will say something is non-compliant, but they don’t say ‘X’ is non-compliant. The missives are a little vague when it comes to the regulator. In such a scenario, companies have to stick to the fundamentals.

Couple of Do’s and Don’ts for your peers.

Be clear of what you are doing. Don’t be biased about things. Because the bylaws are very clear. Forget about the certifications or degrees you have. Fundamentally, be upfront and don’t be afraid. Hacks do happen. It’s a question of how you manage the hacks – what are the preventive measures, what are the mechanisms – even then you can’t be 100 percent sure that everything has been captured. There are different mechanisms including cyber insurance, which you must deploy to keep the organization safe.  

What are the technologies that are important to an FSI institution’s security strategy?

Artificial Intelligence and machine learning are important – but to a certain level only. There has to be a cutoff point. You cannot automate everything. Big data analytics is another extremely important tool because of the churn of data available today. When it comes to blockchain – we have to wait and watch. From a security perspective, I will always look at the abusive part of it first, and how it can be taken advantage of. You can adopt new tech, but one must proceed with caution.