Rajesh Thapar, the Chief Information Security Officer (CISO) at Axis Bank, attributes an organization’s success to its ability to enable digital transformation through innovation. “It is important to implement technological solutions and align controls to manage the evolving nature of the global threat landscape,” he says.
Axis Bank is the third largest private sector bank in India, servicing large and mid-size companies, besides regular customers. With a market cap of USD 33.07 billion, the bank has over eight international centres beside India, making it essential to protect and safeguard sensitive financial data.
“Earlier, security professionals largely knew the threats they were facing, which guided an organization’s security strategy. But with digital transformation journeys involving entities across the boundaries of enterprise, newer threats keep evolving. Now organizations deal with potential attack vectors all the time and one of the key objectives to protect is by minimising the risk of ‘unknown unknowns,” says Thapar, who’s seen the evolution of the security industry during his career spanning over 25 years.
Microsoft Stories India recently caught up with Thapar to talk about the evolution of cybersecurity and how organizations can protect their customers.
“One of the key emerging risks is about the threats from trusted entities like partners, people, devices, servers, applications, and so on. Microsoft provides tools that can give visibility and strengthen controls against attacks from trusted channels,” he says, emphasizing the importance of implementing a Zero Trust framework.
Edited excerpts from our conversation follow.
How has the security threat landscape evolved over the last decade?
The internet has evolved rapidly in the last ten years, which led to a change in how organizations function. Today, productivity, automation, enhancement, and customer expectation have become parts of the core strategy in every organization. Even the perimeter is no longer confined to the office but has extended to cover people’s homes and their devices. This has led to a dramatic change in the threat landscape.
Now, bad actors don’t just attack an organization. They attack different users, customers, partners, suppliers, or devices. That’s a paradigm shift that has happened over the years.
Today, every company’s IT inventory has also increased multi-fold spanning across cloud, data centres, and every device can potentially be a point of attack. Additionally, there are crime syndicates that are evolving with cybercrime being offered “as a service” in covert marketplace. Social Engineering has been a dominant attack channel over the years and business email compromise, ransomware, phishing, among others are still relevant.
How has this changed the job of a cybersecurity professional?
Before the explosion of the internet, security professionals used to handle firewalls, proxy servers, email gateways and anti-virus solutions. But in the last decade many things, including banking channels moved online. Interconnected ecosystem, e-commerce, operational technologies adoption, IoT, and cloud adoption have become common. While this has benefited users, an organization’s risks have also multiplied.
We live in a complex world today, where security professionals constantly must keep thinking about what can go wrong. Previously we largely knew the risks that we faced, and we could compensate for whatever we did not know. But today, the cyber professionals need to constantly upskill themselves, continuously assess risks. They also need to take on different roles of being an influencer, protector, and responder, depending on the situation.
A cyber professional must possess strategic thinking skills and understand the nature of the company’s business. They should be good at articulating risks to business and balancing the ‘prevent and detect’ pillars. The cyber community is concerned about minimizing the risk of the “unknown unknowns”. It becomes utmost important to know the assets, risks, threats applicable on an ongoing basis. Thus, the need of the hour is to have complete visibility over all the threats that can materialize.
How did you implement the cybersecurity framework at Axis Bank?
Ten years ago, a typical cyber agenda was only to protect the perimeter. Now, detection and response have become more crucial because breaches can happen any time and perimeters have disappeared.
Banks align with the National Institute of Standards and Technology (NIST) cybersecurity framework. The first pillar of this framework is getting acquainted with your infrastructure and identifying risks and recognizing the regulatory mandates within which an organization must function.
After identification, organizations must work to eliminate these risks with finite budgets, resources, and time. Strategizing and prioritizing become very important at this stage.
While the intent is always to protect against all risks, it is not viable, hence adequate importance is given to ‘detect and respond’ pillar. Automation of security operations and cyber resilience are the key priorities for a bank’s cybersecurity framework.
At Axis Bank, we decided to implement different frameworks to counter threats. We used a mix of administrative, processes, and tools-based controls to safeguard our IT infrastructure.
What are some of the emerging threats in cybersecurity from a banking sector perspective?
One of the oldest threat actors, which still exists, is malware. It has only been changing shapes. Earlier, it was virus, then it became a malware, which has now taken the form of ransomware, adware, or spyware. Malware, therefore, is the key thing which becomes the entry point.
Second would be DDOS attacks, not just in the banking sector, but across every industry globally. This is also the easiest attack to execute for criminals because it just needs bots to target from compromised devices.
The third actor that has evolved over the years is the supply chain risk. This existed earlier as well, but not from a cyber perspective. If an organization’s partner gets impacted, there are chances they may be impacted as well.
Another emerging risk is around data-based attacks. Data protection, security, and privacy have become very important because it can be compromised by ransomware or data exfiltration attack or data privacy breach.
Social engineering attacks continue to be one of the top attack vectors for data breaches. A cyber- aware customer, employee or other stakeholder can significantly reduce the probability of compromise.
On technical control layers, some of these can be countered by various protection tools, supplemented by complete visibility of threats and attacks in IT infrastructure. Microsoft has helped us in our endeavour to protect us from many of these emerging threats.
Why did Axis Bank choose Microsoft as its partner?
Microsoft has been a pioneer in innovating technology including security controls and it has given us a lot of tools to identify and detect if there is any suspicious event or breach somewhere. We use Azure and utilize Microsoft Office 365 for our email security. Mail-based phishing and spamming attacks are the most potent threat actors deployed against employees. Microsoft helps us counter those threats effectively.
If we think of the period before the pandemic, banks were hesitant to let their employees work from home. But we could quickly adjust to the new normal because Microsoft’s solutions, along with other solutions, helped us stay ahead of the curve. We could capitalize on these tools like Azure, Office 365, and Azure Sentinel with ease and extend remote working for employees. Microsoft also helped us strengthen identity management.
How have you made cybersecurity a part of your culture?
Security is not one person’s job. It is everyone’s responsibility, and a top-down approach helps significantly. Unaware employees can expose the entire organization. The workforce needs to be sensitized because things can go wrong despite implementing security tools. As part of cybersecurity culture, it would be necessary to make stakeholders understand their responsibility and seek their contribution in strengthening the enterprise cyber security.
Increasing awareness about security with the company’s board is also very important. The translation of technical jargon to business language helps, so that leaders can understand the importance of risk and guide in decision making.
Awareness sessions are engaging and gamified with periodic awareness testing through simulation and metrics to assess the cyber aware workforce. Reporting of suspicious events has been made easier for users and partners.