Interview: Ashutosh Jain, CISO of Axis Bank
Interview: Ashutosh Jain, CISO of Axis Bank

Ali Taherian: You've come to your current role with extensive experience in auditing, how does that  background contribute to your current role? and what was your career route into  the CISO position?

Ashutosh Jain: When I was doing my MBA (Masters of Business Administration), I realised the future of financial services is going to be technology.

The audit was the initial few years of my career and actually gave depth to my understanding of information security. Generally, people start their career in information security a bit narrower focused but when consulting and auditing (marry) together, one gets the chance of having a huge breadth, not only across all the technology but also across various verticals.

That breadth really helps a lot in later years when you want to specialise.

AT: How do you communicate information security issues to the board? 

AJ: First of all, I think the most important principle in communication with the board is communicating in understandable english, because when conversation remains technical, people cannot appreciate the full depth of it.

A CISO is supposed to translate the technology in a manner that can be understood in plain english. Secondly, understanding the full risk is absolutely critical for the CISOs themselves. A proper understanding of technology and hence the business impact of that in order to be able to articulate the full impact.

AT: How MBA contribute to excel in CISO role?

AJ: (The) CISO role is the marriage of business and technology; a very limited profession that requires technology and management skills, and requires the art of articulation. It touches a manner that can be understood very well. That's the reason (an) MBA is extremely important (to) help to succeed in this profession.

AT: How do you assess the responsibility of CISO for educating the workforce?

AJ: There are classic sayings in our profession that information security is everybody's business.

It simply means, the appreciation in the sense that if I do something wrong; the organisation is at the receiving end. This kind of appreciation will come when people have some kind of connection with information security and that is where CISO is responsible for having an enterprise-wide plan to make people aware that what the consequences of their options are. The board must be aware of technologies and is not an exception.

AT: Do you think that there are cyber security skills shortages in the financial sector in India?

AJ: There is always a shortage of really good talent because the technology is very evolving, the talent five years back need to get reskilled now, so the demand is always there. India is actually a country producing real talents used domestically and internationally.  I think at macro level (it) looks acceptable but at micro level, there is always a demand.

AT: What is your suggestion to women who wants to follow their career in information security industry?

AJ: I see women personally as a symbol of patience. Patience is a really handy ability in risk management because a lot of time people are not willing to share necessary information. I have seen women excelling in these areas.

AT: Does your organisation share threat intelligence with public bodies such as CERTs, commercial rivals or any others - what do you gain, and what are the risks?

AJ: Banks are required to share threat intelligence with regulators and law enforcement that happens regularly but apart from that, we have a consortium of banks, where we share the information among us to find out what is exactly happening that we can learn from each other.

AT: Ransomware is one of the risks that has threaten all industries increasingly. From your perspective how banks should address this risk and What has really worked for you to mitigate this risk that you would recommend others might also do?

AJ: There are a few things that must be taken care of in order to mitigate ransomware risk and I know most of the institutions are doing so.

Ransomware has multiple aspects: The first and foremost is awareness for people. There is (a) clear element that people must be extremely careful of not sharing email ID and contact details with (the) public unnecessarily.

Secondly, secure browsing and not opening any files and not (executing) any document that comes to them.  

Thirdly, with respect to the endpoint security, that needs to be installed and respectively used to enable us to protect the end point.

Fourth, with respect to forensics, one should have the capability to detect if something has really gone wrong.

The fifth and final thing is that if even there is a ransomware attack which might happen to financial institutions, one should have the capability (to) recover data as (much) as possible.

AT: What are the biggest challenges you face in the year ahead?

AJ: Payment delegate malware (is) going to be a very big threat in the upcoming year, likewise ransomware attacks. I think this is going to take much larger shape and form and financial institutions must take care of these risks and take actions well ahead of time.

AT:  How do you predict the future of authentication in online banking?

AJ: Authentication is one of the classic scenarios which is struggling between convenience and security. In terms of what exactly will be the future of authentication, I think it will be pro-convenience and entire authentication will move slightly forward convenience factor. We can see the kind of comfort that is coming via biometrics. But the security will always take some time to catch up because the institutions have to learn from their mistakes and catch up accordingly.

I would not quantify complete replacement of password-based authentication in a number of years, but I would say that it will be a factor of peer pressure and the capability in the respective areas.

AT: How should banks mitigate risks associated with the use of biometrics?

AJ: Biometrics risk comes in various shapes and forms. It can be how exactly biometrics data are stored on a mobile phone, tablet or whether or not somebody can read it or bypass it. I think, these scenarios must be studied thoroughly during the evaluation phase and taken care of accordingly. In the case of outsourcing biometrics solutions, proper in-house lab testing, source code review, or mutually agreed testing lab must be considered to mitigate the risk of integration.