When it comes to banking, cyber security plays a crucial role in securing the various processes in the Indian banking sector. Read on to know more about it…
Almost after two and half years of Reserve Bank of India (RBI) published a cyber-security framework for all commercial banks, various banks are having a tough time finding the human resource to secure the relevant banking system.
While top banks outsource a significant part cyber-security processes and operations to private IT security consultancies and security firms, several smaller banks stand to lose out because they lack the same technical expertise on cyber security. In any public and private sector banks, it’s the Chief Information Security Officers (CISOs) at the top, who is responsible for the implementation of the RBI’s circular on cyber-security.
Security Exercise
For the record, there are two essential core security exercises that banks have to conduct on their computer network, periodically, as opposed to day-to-day security checks. The first is Vulnerability Assessment and Penetration Testing (VAPT) and the second is Comprehensive Security Testing (CST). About ninety per cent to ninety five per cent of Vulnerability Assessment and Penetration Testing and Vulnerability Assessment and Penetration Testing are done by tools. And about 75% of these tests are done by the Big 4 consultancies because they have the tools and overseas experience.
Generally speaking, for day-to-day activities banks are trying to build a team of professionals who are certified with cyber-security skills along with risk management experience. However, very specific areas such as security audits are outsourced because they are process and technology intensive. Since the “significant” aspects of cyber-security operations are outsourced, the attrition/retention risks are passed on to the vendor, whether to one of the Big 4 firms or a security services company.
Challenges
Various security experts said that since the RBI’s initial circular in 2016, almost all commercial banks have implemented the technical aspects relevant to cyber-security, including routine network upgrades and vulnerability testing, but governance and a shortage of talent remain key challenges.
While there is an improved synergetic threat, intelligence sharing and proactive measures are taken to avoid similar incidents amongst the CISO community in India. But again, there is definitely a huge need for advancements in current security incident logging and monitoring practices.
In an digital era of hacking and growing cyber-threats emanating from State or non-State actors, banks have to improve ‘trust’ with their customers and therefore depend entirely on their cyber-security technology, internal governance frameworks and the professionals running these operations. As banks rapidly embark on their digital journey, the attack at surface levels will continue to increase and the attack vectors will get sophisticated.
As banking regulations become stringent and cost of compliance continues to rise, organizations need to invest significantly on analytics, automation and security platforms that will ease the burden. As far the deployment of technology by roping in consultancies or buying enterprise security software and finding the ‘right’ talent are concerned, banks have to increase their investment and spending capacity. This will benefit the top commercial banks with the ‘latest’ technology and ‘best’ talent in cyber-security, while smaller rural or cooperative banks may stand to lose on the cyber-security aspect on spending and best human resource.
Ground Reality
Banks are taking cyber security very seriously as they develop their cyber-security policies, but they are also finding ways to avoid specific tough decisions. For example, some banks designate the CISO’s role under the Chief Technology Officers (CTOs) ambit, which is not ideal in banking sector. Given the shortage of cyber security talent available for banks to hire as full-time employees, there is a high attrition rate.
As banks rapidly embark on their digital journey and cyber-security, the attack at surface levels will continue to increase and the attack vectors will get sophisticated.
