SEBI to Hire a CISO to Help Protect Securities MarketsInformation Security Leaders Weigh In on Priorities for New Officer
The Securities and Exchange Board of India is scouting for a CISO to oversee various initiatives aimed at protecting the securities marketplace from cyber threats.
The new officer also will be responsible for strengthening SEBI's regulatory policy framework in the area of cybersecurity.
Information security practitioners and experts say the move is a positive sign that SEBI is committed to helping the commodities and securities markets with tools and policies to combat cyber threats.
"Since enterprises of the securities market are targets of cyberattacks as they are part of the national critical infrastructure sector, having a full-time CISO is of high importance. It's time SEBI brought in an in-house CISO," says a CISO of a large stock exchange, who requested anonymity.
Because SEBI has issued guidelines to India's stock exchanges on how to develop a cybersecurity and cyber resilience framework to protect the securities market from cyber threats, having a CISO in-house who will help in executing the framework is important.
SEBI says candidates for the new position should hold a post-graduate degree in computers/information technology with a bachelor's degree in electrical, electronic, electronics or communication engineering, information technology, or computer applications.
Candidates ideally should have a minimum of 10 years' experience in the IT industry, preferably in cybersecurity and IT systems audit and assessment and implementation of critical IT systems. The critical criteria is at least five years at a senior level as head of a large unit of an IT company or an IT unit of a bank/financial institution, or market financial institution.
The new CISO will have a three-year contract, renewable by mutual agreement for a further period, SEBI says.
CISO Needs More Time
"While having an in-house CISO and developing internal capabilities is good, the short-term role for three years is not encouraging," says Mumbai-based N. D. Kundu, CISO of Bank of Baroda. "It takes a minimum of five years to establish the entire framework and support the market. The challenge is not within SEBI, but outside among enterprises of the securities and commodities market which are key targets of attackers."
Kundu says the new CISO at SEBI must be prepared to take a hands-on approach, serving as a catalyst for ramping up security.
Mumbai-based Narayan Neelakantan, co-founder and CEO at Anzen Technologies Pvt Ltd., and former CISO of the National Stock Exchange, says one key challenge for SEBI's new CISO will be to adapt to the security markets' ecosystem.
While beefing up efforts to fast-track work on new, stronger policies and a risk framework in cybersecurity, SEBI expects the CISO to also be responsible for:
- Strengthening SEBI's regulatory policy framework in cybersecurity;
- Ensuring implementation of regulatory policies across security markets;
- Enhancing capacity building at SEBI/market participants with respect to cybersecurity;
- Developing a stress-testing mechanism to mitigate risk arising out of cyberattacks ;
- Taking corrective measures/prudent responses in case of cyberattacks at SEBI or market participants;
- Observing developments in cyber technology and security and preparing inputs for regulatory policy development;
- Informing management about global developments and necessary action points in the area of cybersecurity;
- Supporting operational departments and coordinating with other authorities and market participants on issues related to cybersecurity.
Bridging the Gap
One CISO in the securities' market, who asked to remain unnamed, says the new CISO at SEBI "must bridge the gap between various functions, including compliance, risk and security, and business for the risk framework introduced by SEBI to be implemented effectively by enterprises."
And Neelakantan says the new CISO at SEBI must collaborate with all the stakeholders in understanding the shortcomings within the system.
Another top priority for the new CISO, Kundu says, should be building an information sharing platform along the lines of IB CART, Indian Banks - Center for Analysis of Risks and Threats. That's a platform for information sharing akin to the functions performed by FS-ISAC, which can enable sharing of information on security events among securities market enterprises.
Experts say the new CISO should also have the ability to anticipate new technologies and the fast changing cyber landscape and help enterprises deploy the right controls.
"Assessing the level of security maturity among organizations of this sector is the first step for the new leader," Neelakantan adds.