Ratan Jyoti, CISO, Ujjivan Small Finance Bank is a firm believer that today a successful CISO is not just a protector but also necessarily a lifelong learner – a belief that he has embodied throughout his career, helping him evolve from a data warehouse professional to a CISO.
“It is said that learning is the superpower of superpowers and continuous learning motivates and inspires me more than anything else and helps me carrying out my own research,” quips Jyoti as he recalls the starting point of his learning process – his first job, which a data warehouse project that involved work related to databases and programming. He was too particular about exception handling and validation in his programming and gradually realized that absence of validation could provide him access to websites and databases within. Slowly he started analyzing websites for their robustness and the process became a puzzle solving exercise for him and he started learning by himself. At that time there were not many tools available and each website taught him a unique way to penetrate. While he failed many a times, he became successful some of the times and could access what he calls the treasure, i.e. the data.
While his intrinsic curiosity led Jyoti to occasionally dabble into infosec, his first real exposure in the domain came with his move to the banking industry where information security was very critical. There he got specialized exposure in networking, IT audit, risk management, etc., which he owes his success to as an infosec professional. “I strongly feel that a successful infosec professional should be good in all these areas and should be able to solve riddles,” he explains. Over the next few years he found himself transitioning into an infosec professional due to exposures in the underlying areas, but largely due to its challenging nature.
Jyoti’s formal infosec journey started at Vijaya Bank where he worked for nearly 9 years and was elevated to the CISO position. In 2016 when Ujjivan Financial Services got an in-principle approval from RBI to set up a small finance bank, he got the opportunity to become the bank’s first CISO with responsibility for setting up its entire infosec infrastructure as per the banking standards.
CISO as a Change Agent Enabling Digital Transformation
Over the years of his evolution into a CISO, Jyoti believes that today more than ever is the most opportune time to be a CISO and is excited to have found his way to be in this position at the right time. “In this cyber age, CISO is seen as a change agent helping the organization to innovate and not just limited to security operations. The CISO can help the organization innovate with IoT, AI, ML, Blockchain, etc. and not just fight cyber threats. The most significant change I see is that today CISOs have earned a table at their board meetings and I feel this is just the beginning,” he explains.
To fit the changing cybersecurity business objectives brought about by digital transformation, Jyoti believes, the CISO role needs to evolve “While 3-4 years back CISOs were technology driven and the main aim was to provide technological solutions to infosec problems, today they are becoming service oriented. In the era of digital transformation, strategic business enablement has become the main role of a CISO,” he adds.
To stay relevant in this changing cyber threat landscape, Jyoti stresses on the importance of CISOs diversifying their skillsets, not only in technical areas of Natural Language Processing (NLP), AI, ML, data science, Blockchain, etc. but also transformational management skills around leadership, team management, business analysis, risk management and strategic planning.“CISOs today require innovation beyond traditional controls to provide security to their organization’s digital transformation, making transformational management skills key. Also, today’s cyber chain covers dark web-based services, tools and malwares, making business acumen and leadership qualities of paramount importance,” he explains.
With digital transformation introducing complexity and new threats not limited to technology alone, Jyoti believes that CISOs need to approach cybersecurity and riskfrom a perspective of integrated security and risk management with automation and agility in achieving security. Continuous reactive security has to be changed to a proactive and automated model.
Secure Digital Enterprise – Dos and Don’ts
Jyoti sums up his tips for CISOs for successfully managing a secure digital enterprise with the following ‘Dos’ and ‘Don’ts’:
- CISO should have a clear roadmap of risk versus reward while planning for digital transformation and must be clear that all threats cannot be avoided. S/he should not try to tackle all threats, which is almost impossible in complex transformations as the breaches cannot always be prevented.
- Digital transformation is all about agility, requiring the CISO to be agile and leap forward with security.
- CISO should have clear understanding of the complete attack surface and designing security models should be based on the attack distribution.
- As traditional security design is likely to introduce new vulnerability, CISO should extensively use automation and orchestration for most significant threat vectors.
- Data Leakage mitigation plan should be considered in the beginning. The cyber playbook and threat intelligence are the key in ensuring security of the digital transformation Journey.
- Compliance and regulation should be at the core while designing security architecture.
- Designing of the security architecture should be done keeping the customer in the centre.
- In the age of digital transformation, CISO should not be influenced by technical bias.
- Digital transformation should not be treated as a product as it is a voyage, and hence this should not be treated only as a technological shift. The CISO should ensure that adequate risk management and security controls are part of this journey.
- CISO should understand that the traditional security controls may not be very effective and that digital transformation would need innovation in security too and should be contextual.