“Continuous risk management is the key to managing threats”

Shaik J Ahmed

Increased smartphone ownership, a growing internet user base, the entry of fintech players, and new emerging technologies are fueling India’s payment industry revolution and hastening the transition from a cash-centric to a digitally empowered economy. To understand how the Indian payment industry is undergoing a revolution, Nidhi Shail Kujur of Elets News Network (ENN) interacted with Shaik J Ahmed, VP of Security Risk & Governance, Mashreq Bank.

What growing information security trends do you see in the Indian banking industry? How resilient is our banking infrastructure against threats?

The banking industry plays an important role in capital creation and the smooth functioning of business activities. Innovation, digitalisation and digital transformation have become paramount to remaining competitive and sustained. The major security trends that we see now include cloud security, zero trust concept, XDRs, SecDevOPS, SCA and SBOM reviews, enhanced VM and patch management processes, tools and automation, IAM, Immutable infrastructures, CASB, SOAR, Cyber risk quantification, third & fourth party risk management, improved preparedness for cyber incidents, growing partnership with governments, between industry and security communities across the globe. There is a silver bullet for resiliency against threats. Continuous risk management is the key to managing threats.

Why is it that despite spending billions of dollars on information security each year, scores of organisations are compromised every year?

2022 Data breach investigation report reveals that 82 per cent of breaches have a human element involvement, including social attacks, errors and misuse. Data breach average cost increased by 2.6 per cent from USD 4.24 million in 2021 to USD 4.35 million in 2022. Compromised credentials, misconfiguration, and insufficient risk-based cyber security hygiene are other causes of information security incidents. A healthy risk-based due care and diligence along with continuous security education, awareness, and training is the key to improving the security posture and minimising information security breach incidents.

How do machine learning and security automation influence security leaders and strategies?

There are two things to consider. Data and Rules. Using these, a model is created which underpins the working principle of AI, ML, DL, security automation, and other emerging technologies like RPA, NLP, Blockchain, SOAR, XDR and others. These tools can inject greater benefits towards productivity as well as infuse unknown risks into the environment. The organisation must apply risk-based decisions when deploying any automation and ensure safeguards and controls are deployed to manage the outcome that we expect from these emerging technologies.

The Indian payment industry is undergoing a revolution. Has the information security infrastructure kept up with technological advances?

Increased smartphone ownership, growing internet user base, entry of fintech players, and new emerging technologies are fueling India’s payment industry revolution and accelerating a shift from a cash-centric economy to a digitally empowered economy. While we see the changes in the way, we use and manage the data, the fundamentals remain the same. The Data, network and systems need to be managed to enable a secure environment to support the business outcome. Concepts like zero trust, Secure Access Service Edge (SASE), Chip-based security, Digital Risk Management, XDR, cyber security maturity architecture and increased awareness at the board are supporting keeping up with the pace.

Also Read | Identity Management has become a crucial part of every organisation’s cybersecurity strategy

What are your thoughts on managed security service providers? What function can they play in enterprise security?

Managed Security Service Provider (MSSP) adoption is growing. The typical benefit of an MSSP is to reduce the cost of maintaining an in-house 24/7 security operation centre and security incident response team. There are many upsides and downsides when we leverage an MSSP. MSSP may reduce HR work, and training, and reduce the skill gaps at the same time, MSSP can also pose security risks. At the end of the day, MSSP is also an organisation and, none is free from cyber risks and attacks. I would suggest that a hybrid model – in-house cybersecurity team plus an MSSP is a beneficial model.