'There's a huge need for advancements in current security incident logging and monitoring practices.'
Advait Rao Palepu reports.
Nearly two-and-a-half years after the Reserve Bank of India published a cybersecurity framework for all commercial banks, banks are having a tough time finding the people needed to give them the necessary protection.
While top banks outsource a significant cyber-security exercises and operations to consultancies and security firms, many smaller banks stand to lose out because they lack the same deep pockets.
For the past three months, we requested several meetings with Chief Information Security Officers (CISOs) at the top public and private sector banks, seeking information on the status of implementation of the RBI's circular. However, the banks declined to comment.
There are two essential core security exercises that banks have to conduct on their network, periodically, as opposed to day-to-day security checks.
The first is Vulnerability Assessment and Penetration Testing (VAPT) and the second is Comprehensive Security Testing (CST).
"About 90% to 95% of VAPT and CST exercises are done by tools and generally today 75% of these tests are done by the Big 4 (consultancies) because they have the tools and overseas experience," says a senior public sector bank official.
"For day-to-day activities," says Syndicate Bank CEO Mrutyunjay Mahapatra, "banks are trying to build a team of people who are certified with cyber-security skills and have risk management experience."
"However, there are very specific areas such as audits that are outsourced because they are process and technology intensive," Mahapatra adds.
Since these "significant" aspects of cyber-security operations are outsourced, the attrition/retention risks are passed on to the vendor, whether to one of the Big 4 firms or a security services company, he says.
Experts said since the RBI's initial circular in 2016, almost all commercial banks have implemented the technical aspects related to cyber-security, including routine network upgrades and vulnerability testing, but governance and a talent shortage remain key pitfalls.
"While there is an improved symbiotic threat, intelligence sharing amongst the CISO community in India and proactive measures are taken to avoid similar incidents, but there's definitely a huge need for advancements in current security incident logging and monitoring practices," says Kartik Shinde, partner on cyber security at EY India.
"Around 90% of the cyber-attacks investigated by us have shown low maturity in the way logging of incidents and events is implemented, which leaves little or no room for doing a thorough investigation. Forget thinking about the next generation security operations centres," says Shinde.
In an era of hacking and growing cyber-threats emanating from State or non-State actors, banks have to improve 'trust' with their customers and therefore depend entirely on their cyber-security technology, internal governance frameworks and the people running these operations.
As banks rapidly embark on their digital journey, the attack at surface levels will continue to increase and the attack vectors will get sophisticated.
As regulations become stringent and cost of compliance continues to rise, organisations need to invest significantly on analytics, automation and security platforms that will ease the burden, says Shree Parthsarathy, partner at Deloitte India.
Unfortunately, the deployment of technology -- by roping in consultancies or buying enterprise security software -- and finding the 'right' talent, are both a function of the banks's investment and spending capacity.
This leaves the top commercial banks with the 'latest' technology and 'best' talent, while smaller rural or cooperative banks may stand to lose.
Sanjay Katkar, chief technology officer, Quick Heal Technologies, says the top public and private banks spend around 5% of their budget for cyber-security whereas the global standard is around 9% to 10%.
"Many banks and institutions believe that if they spend large amounts of money on technology, cyber-security problems will be solved. But security products are only tools and companies need to find the right manpower to handle these issues. I find that many of the CISOs at cooperative banks are not knowledgeable about these threats and technologies," says Katkar.
"Banks are taking cyber security very seriously," says a lawyer helping banks develop their cyber-security policies, "but are finding ways to avoid certain tough decisions. For instance, in some banks the CISO's role has been clubbed under the chief technology officers's ambit, which is not ideal."
Barring in-house employees, banks and other organisations routinely contract freelance cyber experts or 'white-hat'/ethical hackers, but they lack experience in dealing with different network systems.
"Most such security experts have managed small-scale systems or have worked on one or two application systems, whereas the entire banking system or even a single PSB may have multiple types of systems which could run into the hundreds," says Mahapatra.
Given the shortage of cyber security talent available for banks to hire as full-time employees, there is a high attrition rate.
The strength of a bank's network security and the ability of their staff to respond to cyber threats depends entirely on the governance framework and training given to their entire staff, across departments.
While top banks can afford to purchase high-end deception technologies and build strong security operations centre(s), they also have 'purchasing power' in terms of attracting the right talent.
This means that the security of smaller banks and of their customers's deposits/information will be left behind, as was witnessed in the recent Cosmos Bank hack.