Enterprise Security 3.0 for BanksA 3-Step Strategy for Risk Mitigation in the New Era
While it is inevitable to leverage the cloud and social media to experiment with innovative business models - the social media-based fund transfer, for example - CISOs must work out an effective risk mitigation strategy.
In my opinion, banking CISOs must take a three-step approach to manage information security within what I call Enterprise Security 3.0.
Enterprise Security 3.0
The Enterprise 3.0 era is about radical changes that move us away from debates about business/technology "alignment" and closer to business/technology convergence, the inevitable outcome of technology, business and management trends.
The outcome has impacted information security as well, where technology has transitioned from traditional data centers, going beyond perimeter security to embrace mobility and even social media banking. We term this the 'Information Security 3.0' regime, which recognizes innovation as core and enables CISOs to explore the specific changes we can expect and the general effect that all changes will have on business technology and its relationship to business models, processes and outcomes regarding managing security.
Enterprise security 3.0 speaks about the need for security in today's SMAC world, especially when banks are jumping on the digital bandwagon and want to penetrate into more digital channels, such as Facebook and Twitter.
In addition, as new customers are getting to online banking, business models are changing, and unprecedented IT start-ups are rising. All these will lead to possible new and innovative forms of fraud. So the focus has to be on three topics: prevention, detection and response.
The 3-Pronged Approach
I recommend that CISOs go with the prevention, detection and response framework as part of their enterprise security strategy. The PDR model simplifies the way CISOs look at information security management from design to execution, giving good visibility to the performance of each security domain.
Why PDR? Traditionally, most CISOs have focused on preventing an attack, and not thought so much about how to detect it in advance or have a response model. It's time to comprehend that hacking is an organized syndicate now, more targeted and sophisticated. Success lies more in how quickly one can detect a breach, respond to it and shorten the breach response window.
Security controls should be a combination of prevention, detection and response-related controls. To secure against attacks, one must develop a control library catering to all these three domains.
The PDR framework is about infiltration versus exfiltration of data. Specifically:
- Prevent and protect framework would absorb IDS, webgateway, DLP, WAF, metrics, SOC, DAM, FIM, NBAD, honeypots, data security in create phase, secure data purging and DDoS.
- Detection methodology incorporates remote access framework, customer awareness, MDM, VA-PT, APT, NAC, patch management, intrusion assessment, threat intelligence, hardened USB, DAM, data mask, vendor risk framework, IT Act, source code security, risk management strategy, secure data exchange with vendors and DDoS detection
- Response mechanism should look into incident management, cybersecurity incident response, malware analysis, forensic analysis and DDoS response.
PDR Control Library
Once the broad framework is chalked out, it's critical to deploy a control library clearly articulating the necessary mechanism to take control. The key is categorization into various elements, information security group verticals, areas of focus and providing actionable controls.
Under the prevention and protection group, CISOs should list down the security controls/projects like information risk assessments, vendor management, policy and processes, baseline configuration documents, communication and awareness, physical controls, exceptions management, regulatory, data privacy and IT Act related requirements and compliance. CISOs can deploy vendor risk assessment framework, vulnerability assessements, metrics, tokenization and cryptography management, and security devices like firewalls, business continuity table top exercises, threat intelligence and follow the RBI mandate.
The second element, detection, falls under the category of detecting an attack. Controls like DLP, data masking data base activity monitoring, security operations centre, WAF, IDS, privilege user monitoring, generic and orphan IDS detection, file integrity monitoring, network behaviour anomaly detection, rogue mobile app, can be deployed. As part of detection strategy, CISOs should focus on endpoint security, data protection, application security, security Ops and security incident management controls. Detection methods could be refined with controls around, digital asset management, financial management, WAR, SoC and network behaviour anomaly detection, and have a computer security incident response team in place.
The third model response domain is more about how quickly one is able to respond to an incident. It incorporates segments including security operations,, with focus on SIEM, NBAD, security analytics, cyber security command center and technologies like Anti-APT & DDoS protection. Security incident response team (CSIRT) will be the key to handle this domain using threat intelligence, black box intrusion and digital and network forensics.
PDR Modus Operandi
Once controls are earmarked and a framework is put in place, allocate each domain to team leaders. You need three leaders who can take ownership of each PDR element and prepare an execution plan. However, each stakeholder must have metrics to monitor the progress, impact and performance of the respective task.
More than deployment of security tools and technologies and team's security skills, the ability of the team leader to manage the task and process will determine the success of the model.
A diligent approach to a working model of PDR will ensure a simplified approach to managing information security, which can provide greater visibility into the system which can help mitigate risks.
Ratolikar is CISO at HDFC Bank. A believer in the role of the CISO as a risk manager and security thought-leader in an organization, he is a well-known figure in information security circles, and has spoken extensively at various industry events. He was previously the CISO at Axis Bank. Prior to that, he was the CTO and CISO at Bank of India. He has more than 20 years of experience in IT and information security.