Investments in cyber security should be futuristic: Mrityunjay Mahapatra, DMD and CIO, SBI
“We are the first bank in this country that has deployed ethical hackers. These hackers are continuously trying to exploit the weaknesses in our system and telling us the areas where improvements are needed. We are investing heavily in the security operations center and are one of the biggest recruiter of security experts in the banking space,” says Mrityunjay Mahapatra, Deputy Managing Director & Chief Information Officer, SBI.
In an exclusive conversation with Ankush Kumar, Mahapatra gave an overview of the rising cyber security concerns in the banking space and the preparedness of SBI in mitigating such threats. State Bank of India is country’s largest bank with a network of more than 13000 branches and five associate banks located even in the remotest parts of India. The bank is also devising standard operating process which includes escalation matrix and formation of war rooms for combating new age security threats.
Edited Excerpts
How do you see the present structure of digitization in the Indian banking sector?
There are two kinds of digital activities that are happening in the banking space. One is the seen part which is visible to all and the other is the unseen activities, that happens in the back end and usually the customer is not aware of it. The seen part of digitization is what we are doing in terms of customer experience, delivering banking products and providing services in digital platforms like mobile, web, ATMs, channels, etc. Then there is not so seen part of digitization that we are doing. These include initiatives like collection of payment data, cash movement data, last mile infrastructure and connectivity where the platform is required to be robust, scalable and reliable.
So there are many parts of technology; citizen centered technology, government centered technology, business centered technology, which are getting delivered unseen. And those have been taken as part of the hygiene of the ecosystem. This shouldn’t have been possible without adopting a digital ecosystem.
Digital in my view is what we are doing in the public domain, whether it is internet of things, payment system, cloud, mobility, etc. In addition, there are large system of productivity oriented, security oriented, and governance oriented initiatives which is happening in digital.
Why cyber security is considered to be the biggest concerns for banks ?
The banking sector has to be always prepared. The coefficient of magnification of same cyber incidents in any other sectors like manufacturing would gain the same amount of prominence in other sectors. But in banking the magnification is too much. Here a small incident could be blown out of proportion because people are concerned about their hard earned money and overall financial security is at the stake.
The truth is whatever we do, we cannot avoid incidents happening, because whoever are the cyber criminals, they have the ability of innovating and striking at will. Even if five percent of their efforts succeed, they could bring havoc to the system. For example, a DDoS attack, Distributed Denial of Service, the rogue traffic has essentially stopped benign traffic or genuine traffic from going to our applications. And every application has an inherited capability to stall it. So, it goes into hyperactive mode and the application gradually comes around. Therefore, whether it is DDoS, SQL Injection or any other newer methods we will have to be prepared for it.
What measures can be taken to mitigate advance attacks like DDoS ? What is the strategy of SBI to combat such security threats ?
As DDoS attacks can come from anywhere in the world, geographical boundaries are no constraint, the moment it pierces the firewall it will hit your critical system. The only thing that can be done is preparedness, how robust is your scrubbing services as compared to the speed that these DDoS attacks are coming. So, every time, you will have to be futuristic when it comes to investing in cyber security which SBI is doing. Second is the security practice compliance. I remember my candid conversation with Oracle CEO, where he was telling that whenever they acquire a new company, they bring down that application for periods ranging from one week to several weeks to develop those patches so that they are best security practice compliant. And we are also doing the same thing. We would rather bring down an application, patch it up, and promote it rather than allowing vulnerable applications working with them.
In terms of our strategies of mitigating cyber security risks, we are the first bank in this country that has deployed ethical hackers. And these hackers are continuously trying to exploit the weaknesses in our system and telling us that these are the areas in which improvements are needed to be made. We have preventive practices like security coding, employee frisking, master data management, robust data dictionary, all these are meant for preventive security. Then, on-the-go security is analyzing traffic, engaging struggling services, isolating like they used to do as you know in electrical engineering, they say circuit breakers. In circuit breakers part of the circuit will get isolated and others will keep on running. So similarly, how can we have applications in a modular manner so that if one particular area of the application is not working, we can bring it down, which customers will either not notice or will be impacted minimally. That is one practice we are doing.
We are investing heavily in the security operations center. We are hiring people from the market. We are one of the biggest recruiter of security experts in the banking space. So, all these, and engaging the way with partners like Oracle who believe on a basic level of security discipline is making things easier for us.
How do you see the progress of startups in fintech space and how is SBI associating with them?
One thing which is not so good about startups and fintechs is that they don’t have the deep pockets to invest in security. They want something to be up and running very quickly. But they don’t have the scalability, they even don’t have the security capabilities. So, we are doing the multimodal partner selection, investing in a security, coding, preventing so on and so forth.
Today, most of the cyber incidents are spreading through insiders and others are not even reported. In such a scenario, what kind of security framework is required for an organization and what is SBI doing ?
A few years back, security used to be a tick box kind of an exercise. You take a framework and you tick it and then people become defensive and don’t want to report it. We are building communities now, where at least in a closed room people will tell what has happened. Otherwise, there is a fear of misreporting, people don’t tell it or people believe that it is unique to them, so they don’t share it. Around 90 percent of the events happen by negligence of the insiders where the standard operating process is not followed, everything is going right, so nobody cares. Swift, for an example always told that nobody can violate their system, which may be true, but that kind of fosters a sense of complacence in the operatives. I think howsoever secure your house, maybe, if your doorways are not guarded, there will be a problem.
At SBI, we know that things will happen, so we are devising a standard operating process for everything, escalation matrix, formation of war rooms. Once things happen, how quickly we gather a bunch of experts, who can come together and start driving things from the front end. Then failover mechanisms like DR sites, near hot sites, how robust they are, recovery time, objective monitoring, recovery point objective monitoring, those have to be robust, then deployment of the frameworks. So, we are doing multimodal things in security.
How do you see the role of blockchain technology in the banking sector?
In the banking sector, the first application of blockchain happened in trade finance and thereafter SBI, we are promoting a chain called Prime Chain and are members of a consortium called the R3. There are companies like IBM and Infosys that are working on blockchain. No doubt blockchain has a great potential and there are multiple uses. But as of now, with the lack of standardization and lack of agreement on the protocols, blockchain is yet to have any significant impact. We are using it for consortium financing, for development operation, for KYC, etc. Innovative uses of blockchain have to come, standardization has to happen, people must agree for the same protocol. Existing players will also innovate. I see adoption of blockchain quite faster in the payment space, where we are seeing more application of blockchain. So, things are in a flux right now, but I think it has great potential.
Banking is one of the sector where lots of data sets are generated regularly. So how is big data and analytics being used by SBI ?
It is rightly said that data is the new oil and therefore it requires a refinery of data to get meaningful insights. The State Bank of India generates data every moment. We do 5000 transactions every second. That means every minute we have 300,000 transactions. We have 270,000 tellers who are logged in. So, we are looking at explosion of data at every touch point. First challenge is to recognize these data point as we don’t have the ability, time and money to convert every data into structured data and store it in data warehouse. So we have to work with unstructured data. The moment we speak of structured data and unstructured data working together, the role of big data comes into play. So, big data is an area where we are investing heavily. And companies like Oracle are working with us closely in doing analytics, giving insights into it, and also helping us to deploy technology to slice and dice data.
We are also working with Oracle cloud machine which is placed inside our firewall. And, it has all properties of the public cloud but we have the ability to keep it inside our firewall and the physical security is also with us. Oracle cloud machine provides one platform from development through production with full workload portability, rapid application development across public and private clouds with no rewrite, and much secure and compliant data at reasonable pricing.
As one of the pioneers in the IT space what will be your message to the CIO fraternity? How do you see the future CIOs as a torch bearer for the economy?
Futuristic CIO has to be exposed and connected because the world is becoming boundary less. Secondly, he has to allocate a separate budget for innovation and experimentation. He can not only keep the lights on. The third is that the approach should be towards the business side of the technology. So, he must learn how to build friendships and networks with his business counterparts. C-suite is a difficult position, but CIO will be more so difficult. And last but not the least, he must know how to lead people. At CIO level, very little technology, you can do yourself. You must keep the morale high, you must push people, but at the same time be friendly with them.