Opinion

CISO Can Help Innovate and Not Just Fight Cyber Threats: Ratan Jyoti, Ujjivan Small Finance Bank

Ratan Jyoti, CISO, Ujjivan Small Finance Bank is a firm believer that today a successful CISO is not just a protector but also necessarily a lifelong learner – a belief that he has embodied throughout his career, helping him evolve from a data warehouse professional to a CISO.

“It is said that learning is the superpower of superpowers and continuous learning motivates and inspires me more than anything else and helps me carrying out my own research,” quips Jyoti as he recalls the starting point of his learning process – his first job, which a data warehouse project that involved work related to databases and programming. He was too particular about exception handling and validation in his programming and gradually realized that absence of validation could provide him access to websites and databases within. Slowly he started analyzing websites for their robustness and the process became a puzzle solving exercise for him and he started learning by himself. At that time there were not many tools available and each website taught him a unique way to penetrate. While he failed many a times, he became successful some of the times and could access what he calls the treasure, i.e. the data.

While his intrinsic curiosity led Jyoti to occasionally dabble into infosec, his first real exposure in the domain came with his move to the banking industry where information security was very critical. There he got specialized exposure in networking, IT audit, risk management, etc., which he owes his success to as an infosec professional. “I strongly feel that a successful infosec professional should be good in all these areas and should be able to solve riddles,” he explains. Over the next few years he found himself transitioning into an infosec professional due to exposures in the underlying areas, but largely due to its challenging nature.

Jyoti’s formal infosec journey started at Vijaya Bank where he worked for nearly 9 years and was elevated to the CISO position. In 2016 when Ujjivan Financial Services got an in-principle approval from RBI to set up a small finance bank, he got the opportunity to become the bank’s first CISO with responsibility for setting up its entire infosec infrastructure as per the banking standards.

CISO as a Change Agent Enabling Digital Transformation

Over the years of his evolution into a CISO, Jyoti believes that today more than ever is the most opportune time to be a CISO and is excited to have found his way to be in this position at the right time. “In this cyber age, CISO is seen as a change agent helping the organization to innovate and not just limited to security operations. The CISO can help the organization innovate with IoT, AI, ML, Blockchain, etc. and not just fight cyber threats. The most significant change I see is that today CISOs have earned a table at their board meetings and I feel this is just the beginning,” he explains.

To fit the changing cybersecurity business objectives brought about by digital transformation, Jyoti believes, the CISO role needs to evolve “While 3-4 years back CISOs were technology driven and the main aim was to provide technological solutions to infosec problems, today they are becoming service oriented. In the era of digital transformation, strategic business enablement has become the main role of a CISO,” he adds.

To stay relevant in this changing cyber threat landscape, Jyoti stresses on the importance of CISOs diversifying their skillsets, not only in technical areas of Natural Language Processing (NLP), AI, ML, data science, Blockchain, etc. but also transformational management skills around leadership, team management, business analysis, risk management and strategic planning.“CISOs today require innovation beyond traditional controls to provide security to their organization’s digital transformation, making transformational management skills key. Also, today’s cyber chain covers dark web-based services, tools and malwares, making business acumen and leadership qualities of paramount importance,” he explains.

With digital transformation introducing complexity and new threats not limited to technology alone, Jyoti believes that CISOs need to approach cybersecurity and riskfrom a perspective of integrated security and risk management with automation and agility in achieving security. Continuous reactive security has to be changed to a proactive and automated model.

Secure Digital Enterprise – Dos and Don’ts

Jyoti sums up his tips for CISOs for successfully managing a secure digital enterprise with the following ‘Dos’ and ‘Don’ts’:

  • CISO should have a clear roadmap of risk versus reward while planning for digital transformation and must be clear that all threats cannot be avoided. S/he should not try to tackle all threats, which is almost impossible in complex transformations as the breaches cannot always be prevented.
  • Digital transformation is all about agility, requiring the CISO to be agile and leap forward with security.
  • CISO should have clear understanding of the complete attack surface and designing security models should be based on the attack distribution.
  • As traditional security design is likely to introduce new vulnerability, CISO should extensively use automation and orchestration for most significant threat vectors.
  • Data Leakage mitigation plan should be considered in the beginning. The cyber playbook and threat intelligence are the key in ensuring security of the digital transformation Journey.
  • Compliance and regulation should be at the core while designing security architecture.
  • Designing of the security architecture should be done keeping the customer in the centre.
  • In the age of digital transformation, CISO should not be influenced by technical bias.
  • Digital transformation should not be treated as a product as it is a voyage, and hence this should not be treated only as a technological shift. The CISO should ensure that adequate risk management and security controls are part of this journey.
  • CISO should understand that the traditional security controls may not be very effective and that digital transformation would need innovation in security too and should be contextual.
11 Comments
  1. Rama 7 months ago
    Reply

    Great Read. Loved to read this journey. Very inspirational

  2. Tony Alec 7 months ago
    Reply

    Security is becoming important and important. I agree with Ratan Jyoti that all attacks can not be prevented and so we should have a risk based approach.

    Dos and Donts are very nice.

  3. Randhir 7 months ago
    Reply

    Great article, and very inspiring. Ratan Sir, please tell us more about how to make the security architecture more flexible and scalable in light of emerging threats, business requirements, strategic alignment and regulations.

    • Ratan 7 months ago
      Reply

      Security architecture is the key for each information and decision systems. The architecture should be dynamic and support wide range of security mechanisms to each and every elements of the ecosystem on need basis. These security mechanisms includes authentication, confidentiality, integrity, authorization, and audit. If these components are planned and forecasted well architecture will always be flexible.

      Having said that the world is now moving towards the Zero Trust security model. In other words, every service request made by any stakeholder or machine is suitably authenticated, authorized, and encrypted end to end.

  4. Debjani Saha 7 months ago
    Reply

    Nice one. It is worth reading..
    Sir how do we keep up with the emerging security technologies while justifying their cost-benefit to the management everytime we present a business case?

    • Ratan 7 months ago
      Reply

      Today techniques are available to predict the level of monetary loss for each threat, and monetary benefit of controlling the threat. However determining this is a tedious task and probably it can compute the cost partially as there is no perfect way to calculate the value of reputational loss.

      Emerging technologies can bridge this gap but we are required to present suitably to the top management that how these emerging technology can minimise the risks and are value for the money. Buy-in decision may vary from organisation to organisation.

  5. Ansuman Samantaray 7 months ago
    Reply

    Informative and inspirational article on emergencing technological trends dealing with advanced security threats. Now a day’s supply chain management is bringing unknown security threats to an organization. This should also be included in risk management framework.

    • Ratan 7 months ago
      Reply

      Supply chain risk management (SCRM) has been the part of Enterprise Risk Management for a long time now. The enterprise today see it as the synchronized efforts of theirs to support identify, monitor, detect and mitigate threats to ensure supply chain continuity and profitability.

      SCRM strategies and system help an enterprise anticipate potential risks and adapt to both those risks and possible disruptions as swiftly and efficiently as possible.

      And so as you said rightly, without SCRM, Enterprise Risk Management is incomplete.

      • Ansuman Samantaray 7 months ago
        Reply

        Thanks sir for your comments.

  6. Bhaskar 7 months ago
    Reply

    Great Article!
    Completely agree with Sir that Security professionals shouldn’t be only protector but also necessarily a lifelong learner.
    Very impressive Journey!

  7. Sanjay 2 months ago
    Reply

    What is the role of CISO in digital transformation?

Leave a Comment

Your email address will not be published.

You may also like