In conversation with V. Sendil Kumar, Head – IT Infrastructure and Security, Novac Technology Solutions
Sendil Kumar oversees all technology models, maintenance, and personnel-related operations at Novac Technology Solutions. He has over 25 years of experience in managing technology and IT infrastructure. By establishing standards and procedures, mitigating risks, employing strategies, integrating a robust monitoring system and metrics, he has been pivotal in strengthening the core network and infrastructure at Novac.
In addition to managing primary, secondary, and near-site data centers with 24×7 networking operation centres, he has designed the private and public cloud infrastructure and handles the Security Operation Centre (SOC) and I.S. Security at Novac. Sendil has also spearheaded all technology initiatives at various Shriram Group companies including Shriram Capital Limited (SCL), the overarching holding company for the Financial Services and Insurance entities of the Shriram Group.
He shares with us some best practices, threats, and challenges large financial service providers face today in the era of digital transformation.
This interview was conducted as a part of the Smart CEO CIO – CISO Knowledge Series, powered by Sophos, a world leader in cybersecurity solutions that serves 400,000+ enterprise customers in 150 countries around the world.
Excerpts from the interview:
In this era of digital transformation can you share the top three security threats that the financial services industry faces today?
Businesses are moving towards digital to be very agile and to make their products flexible and easy to use. As a result, from being primarily a B2B platform, even finance and insurance transactions are becoming B2C in nature with the customer empowered to perform the role branch offices used to do earlier. But this has had an impact on security as now financial institutions are moving away from closed architecture in data centres to a more open setup with access on the mobile application. Since this amount of flexibility is not possible on on-premise infrastructure, despite having to be highly compliant with regulatory bodies like RBI or IRDA, the financial services companies are migrating to the cloud to remain competitive.
The three major areas that a CISO or an IT head has to proactively handle are:
- Managing the threats on the cloud and having tools that are on par or even better than what was used on-prem. Often IT heads think that security on the cloud is the cloud service provider’s responsibility, but that is not so. The CISO has to choose the security tools, testing of these tools, and their proper usage on top of other applications.
- The second biggest problem threatening not only the financial services industry but across the board, like manufacturing and pharma as well, is Ransomware.
- Data leak is the third challenge where data is getting hacked and being used on the Dark Web. This leak happens because of the multiple third-party integrations that financial service providers forge with different vendors such as automobile vendors, food delivery partners, and other kinds of service providers. If the integrations are not done properly or if the third-party vendor’s application has a problem, then hacking is very much possible.
These pain areas are a result of the move towards digital transformation and not limited to these three. There are many more internal and external threats that have always existed and so, a hybrid approach where an internal team works with third-party vendors becomes essential to ensure reliability and dependability, which are the greatest challenges. Establishing processes, procedures, and controls to manage the system properly is crucial.
Kindly share with us some of your threat hunting strategies to proactively protect your data.
Threat hunting refers to a proactive assessment of your security level, vulnerable areas, and mitigating risks. Business must secure their endpoint devices such as mobile devices, desktops, and laptops that can cause serious threats to security. Now work from home has compounded the channel and it is a pain area for the IT head or the CISO but cannot be avoided. Any breach can cause a loss of credibility and so instead of being reactive, we have to be proactive in strengthening our endpoint security.
The second aspect is the gateway. At Shriram Group, we have a higher-end firewall, a web application firewall, a normal firewall, and then we have user behavior analysis tools, and so on. These generate logs that provide insights on threats and vulnerabilities.
We use SIEM (Security Incident and Event Management) to manage the logs and SOAR (Security Orchestration, Automation and Response) platform to generate reports and dashboards so that I can fine-tune the controls, get patches, etc.
How important is the security team in today’s context of automation?
It is one of the pain areas for any IT company. Technology is constantly evolving and engineers have to be given training on a regular basis. But a certification alone is not enough, the person who is working in security must be passionate about it. Experience counts as the learning has to be linked to the current business. Training should include gamification; Red Teaming – where one team tries to attack and another defends, and Blue Teaming for internal auditing. This will help in team building as well. Then there is a need for a proper incident response team that should be trained in prioritizing system-generated tickets so that they can focus on high-risk areas better. We also should train them in trend analysis based on internal and external incidents, to identify gaps in tools and processes gaps and address them.
How can digital transformation technologies help with threat hunting and crisis preparedness?
In addition to SIEM and SOAR, we use AI/ML-based algorithms to get reports on brand monitoring, anti-phishing, anti-malware, and so on — as manually it will be very challenging to wade through the logs generated. We have a digital threat hunting process and have tied up with a leading company. With the AI tool, there can be a lot of false positives initially, but with time, the learning will improve the results.
Kindly share three best practices financial businesses must incorporate for security and governance as more digital initiatives are implemented.
Strong process, policy, and controls are a must. The security approach has to be top-down, for which we have to update our directors. Now everyone is aware of security and keen to know about security controls. If they are unaware, we must update them about the residual risk. We should also see how the budget should be allocated to improve security. For defense, in-depth, real-time monitoring is important as no organization can claim to be 100% secure at any point, and knowing the gaps is important. The gaps should be addressed based on the risk level.
What can be some of the bottlenecks to security in financial service organizations? What can be some of the impacts of this?
The bottleneck is mostly with regard to resources, reliability, and tool compatibility.
Suppose we have a tie-up with a vendor and their employee joins their competitor. Though we sign NDAs, it is still an area of potential threat.
We still have some legacy/monolithic systems and security patches may be a problem for those systems. The complete transformation will take time. So, we are changing in a phased manner, with customer-facing applications getting top priority.
How can financial service providers ensure scalability and future-proofing of their security and therefore their digital initiatives?
Due to the ever-changing nature of technology and security, businesses should consider IT investments as Opex instead of Capex. Instead of investing heavily in hardware and software, it is better to look at SaaS. Second, if there is an option to use a product on the cloud, then that will ensure better scalability.
Many organizations miss out on using CMDB – Configuration Management Database – which is important to collect the entire assets of the organization and classify them as high, medium, low risk based on usage and priority. This can help streamline the security process by focusing on high-risk areas. IOC (Indicator of Compromise) provided by RBI and IRDA can help identify IPs from which threats are generated and mitigate the risk with appropriate measures. A strong network of peers will facilitate sharing of thoughts and ideas to make a collective effort to address the threats.
CISO Sophos Novac CIO Cybersecurity