CSO Interview: Must-have Skills for New-age Cyber Security Professionals
While the market is getting overwhelmed and proliferated with new age disruptive technologies like IoT, AI and Blockchain, the complexity of cyber-attacks has also increased, says
Vimal Mani, CISO, Bank of Sharjah
. In an exclusive interaction with Ankush Kumar, he explains that mitigating these threats require high-end skills such as Malware Reverse Engineering and Digital Forensics, which have created a huge uproar in demand for new-age cyber security professionals. He talked about his biggest career move, security strategy for the bank and also shares his advice for young security professionals.
By Ankush Kumar
The banking sector has gained high momentum with the arrival of new age disruptive technologies such as Blockchain, IoT, AI and Analytics, etc. Along with this technology disruption there has also been a continuous growth of cyber incidents that have become complex in recent times. Vimal Mani, CISO, Bank of Sharjah believes that the banks in today's time have a mandate to implement a foolproof cyber security practice under Defense in Depth Approach. This will ensure the preparedness to combat the dynamically emerging cyber threats targeted on the banking sector.
In recent times the world has seen massive attacks like Ransomware, DDoS, phishing, DNS hijacking and identity spoofing that has created a sense of panic across various industries and governments. "Operations security, ICT supply chain security, software security, web security, application security, cloud security, industrial
Strategy for combating security threats
Explaining his viewpoints on combating such vector threats and his overall security strategy for the Bank of Sharjah, Mani informs that he is a firm believer of multi-layered security arrangements. "I prefer to architect the security eco-system of my organization to be a multi-layered defense in depth approach. This starts with a governance layer (information security policies & procedures), then continues with physical & environmental security, network security, infrastructure security, systems security, application security, database security and operating system security. This is how I have architected the security strategy of my organization. To add more value to this Enterprise Security Architecture, I have layers of support provided by my internal audit and risk management teams who review the cyber security practices of my organization in periodic basis to give an assurance on the robustness of the cyber security practice."
Bank's Cyber Security Framework
The UAE based bank has implemented a robust cyber security framework provided by NESA (National Electronic Authority, UAE) which oversees and regulates the cyber security practices of organizations from various sectors working out of the UAE. This framework has 188 controls to be implemented that will cover strategic, operational and technical controls addressing the IT GRC and cyber security risks in a very granular level. "As an outcome of this framework implementation, we have multiple solutions such as endpoints, firewalls, proxies, APT solutions, SIEM solution practised in place which has helped us in strengthening the security posture of our organization. In addition, we have developed a detailed ICT Supply Chain Risk Management Strategy that guides us on systems security, application security, database security and vendor managed software development. We have a comprehensive understanding of static and dynamic code analysis in application security, and the ability to provide effective remediation for identifying vulnerabilities. We keep working on analyzing code vulnerabilities by having references such as OWASP Top10, WASCTCv2, SANS Top-25 and CWE25. We extensively use OWASP tools and methodologies in addressing application related vulnerabilities. However, in my views, ideally ISO 27001 will be a suitable security framework for any organization."
Advice for Young Security Professionals
Mani, sees huge scarcity of well qualified and knowledgeable cyber security professionals in the current market. "While the market is getting overwhelmed and proliferated with new age disruptive technologies like IoT and Blockchain, the complexity of cyber-attacks have also increased which require higher end skills such as Malware Reverse Engineering, Digital Forensics which have created a huge uproar in demand of Cyber Security Professionals." Also as a responsible professional who believes in guiding the young security professionals, Mani in his candid message says, "Please observe the world around and technology trends impacting your daily life and the dynamically emerging cyber-attacks. Learn the basics of cyber security which will help you in safeguarding yourself and the world around you. Beware of Social Engineering attacks on individuals happening through spam emails that lead to major cyber-attacks, keep eyes and ears open to learn new technologies so that you will not get laid back from the techno-savvy people around."
Biggest Career Move
Discussing about his early days as a student and his major career moves, he elucidates, "I was academically a normal performing student in college days and passed out with a mere first class. But I was determined well to have adoptable skill sets rather than depending on a single skill. So I had to change the number of jobs to learn a number of new skills. Due to lack of learning, I never got stuck with one single employer. So keeping that in mind, I kept switching jobs which helped me to learn new skill sets under the IT GRC umbrella in which cyber security is just one element. So with this wider skill set in IT GRC (Governance, Risk, and Compliance) domain comprising Cyber Security, in my 40th year, I could achieve the title of CISO of a Bank. My move from Indian IT Services Industry to a full time IT GRC Consulting Job in GCC region in 2009 was the game changer as well a big career move for me."
Security Hygiene for Enterprises
As the rate of absolution is generally higher when it comes to technology and also the security strategies that keeps it safe, Mani explains that employee training is crucial in today's time. "Employees should be trained with the basics of Information Security starting from the job orientation program they attend. In addition, they need to be given an awareness on the latest security threats such as Ransomware, Phishing and the preventive measures put up in place by the organization through periodic classroom sessions, exclusively designed eLearning programs, email alerts etc. Security campaigns can be done through exclusively designed wall posters, screen savers, and pamphlets. A clear Screen & Clear Desk Policy should be implemented and an awareness of the same needs to be provided to staff, which will help effectively in combating insider threats."
As the Chief Information Security Officer (CISO) of the Bank, Mani is responsible for the end-to-end information security program along with the coordination of information security efforts within the banking operations spread across the Middle East region. Bank of Sharjah has its operations spread across four of the emirates (Abu Dhabi, Al Ain, Dubai, Sharjah) in United Arab Emirates and Lebanon. The Bank offers general banking services, project finance, trade facilities, syndicate loans and short to mid-term loans.