Developing a culture for security using innovative techniques: Sameer Ratolikar, CTO, Bank of India
Generally, banks put focus on ‘technology’ ignoring most important link of the chain — their own employees. While the IT products are designed and developed for end users, unless employees are trained on cyber security aspects of products, the information security initiatives are not successful.
For information security to be successful in banks, focus on people is extremely important in addition to processes and technology. To create a robust information security culture among employees, we gave an innovative name to our campaign. This was called ‘Arranging our own house first.’
This is a unique strategically designed multipronged employee awareness initiative to ensure that all the employees of the bank are made aware and sensitized about the importance of information security and privacy, resulting into alignment with our business strategy of customer satisfaction, acquisition and enhancement in reputation.
Being a multinational bank with presence across more than 18 countries, we are bound by local, as well as foreign regulatory and legal requirements. With this “problem statement,” we decided to develop a strategy to see that the above mentioned goal/objective is met , which should result into effective rollout and success of IT enabled products for our customers .
We created this innovative campaign as we had reasons to believe that the average customer and the employee were not aware about the basic security policies. When ROI was calculated and analyzed, it was found out that employee awareness about products and security played a crucial role in maintaining/elevating the reputation of the bank as it made our customers happy. We also believed that customers needed to be made more aware about password-related frauds and other critical applications.
At the outset, we deployed 2-3 information security and IT officers at regional offices to take care of their information security-related issues and conduct snap risk assessment of branches. We also conducted on-the-spot awareness sessions at branch manager’s cabin. We prepared a standard and uniform presentation of 6-7 focused slides to enable a focused approach.
We also made sure that information security posters/handouts designed and printed exclusively for branch and regional offices were displayed in the workplace areas prominently — highlighting the do’s and don’ts of information security. After every training session, officers at the regional and branch level are expected to read the ‘Information Security Pledge’, which is followed by all staff members.
Our other innovative approach, which is widely appreciated by DSCI, RBI auditors, Information Security Forum-UK and IDRBT is the “Information Security Portal.” The portal acts as a single window system for all security updates and requirements.
Our bank’s security policies like acceptable usage policy, procedures, disaster recovery process, and guidelines for our foreign branches are available online. To attract more and more employees, we have created an online quiz module and opinion poll. The winners in this category are rewarded with attractive prizes. Additionally, message from our top management about security is available on the portal, which sets the tone for information security governance. The portal is continuously monitored and updated by a team of security managers.
We have also tied up with six colleges across the country for conducting two days training programmes on information security and privacy. Attendees are advised on the importance of branch level security, RBI guidelines and basic business continuity practices.
Periodically, the bank also conducts a cyber security week, which has proven to be extremely useful for generating awareness among employees. We have speeches on cyber crime from RBI, police department officials and industry experts.
Last but not the least, we have published a basic handbook on information security. The book, written by me, covers basics on information security, which is applicable to all staff members. Security policies, procedures, IT act, RBI guidelines, worldwide cyber crime modus operandi, precautions while working on online banking, mobile banking etc is covered in this book.
Today, with this strategy of “Arranging our own house first,” employees are more aware of basic security hygiene, do’s and don’ts, and password secrecy including the importance of protecting customer personal identifiable information.
Today, as our employees are aware of security processes and its importance, they are able to better serve our customers, understand and help them resolve their complaints. We believe that we have truly achieved a perfect integration of people-processes and technology to achieve secure banking.