Head – Risk Management & CISO,
National Payment Corporation of India (NPCI) Ltd
Tell us in brief about your professional journey till date.
I am working in the industry since last 22 years mainly in risk and compliance function started with Telecom Company and presently with National Payments Corporation of India heading Risk management and Compliance.
Why did you choose information security as a profession?
Information security was never considered as a mainstream control function about a decade ago. In early 2000 internet and advanced technology were just making its entry in India. It was a time I realized as a risk professional that the technology has its advantages but the same time there is a flip size of it, which can be used to take disadvantages. I think that prompted me to think on security and design adequate controls to prevent misusage. That’s how i moved in information security.
According to you what are the big challenges CISOs facing today?
There are plenty of challenges for information security professionals in today’s fast growing technology world. There are multiple areas which are always top concerns for any CISO. People are getting more and more familiar with new technology and gadgets but there is complete ignorance to make them aware about risk and threats associated with advanced technology. Threats towards securing critical infrastructure have been multi-folded in recent years. However, data security remains the biggest security challenge for CISO. Technology has been advanced to the extent to secure infrastructure. But at the same time security breaches have also increased in recent past. Financial crime stealing customers credential is rising. So securing critical data is a challenge.
Do you believe in ‘information security outsourcing’, and if so, to what extent?
This is good and bad both. The good part of outsourcing of information security is to get expert support promptly and continuously. However, it’s very difficult to transform real business and security requirement from organization to outsourced vendor. Sometime real actions could not be taken because decision was hanging between the both. So it would be better to keep decision making and strategy with the organization and execution may be outsourced to possible extents.
How do you define the thin line difference between data privacy and data security?
The data need to be secured may always not require to secure due to privacy, but it is certain that data pertaining to privacy must be secured.
What will be your suggestions to information security vendors providing solutions to reach your expectations and satisfaction?
It’s time to converse many solutions into single comprehensive solution. Adding one solution on other would increase the cost and efforts to monitor but the actual advantage would be very less. Having firewall, IPS/IDS, APT, SIEM is need of time to secure your environment, but is it necessary to go for each component separately? Solution providers should look at ease of security operations too.