RBI Seeks CEO for New IT ArmSecurity Leaders Weigh in on Job Requirements for New Post
See Also: 2016 State of Threat Intelligence Study
For this role, RBI is scouting for a CEO to lead a team in IT-related areas including cybersecurity, responsible for strengthening cybersecurity in the banking sector, according to RBI's official statement.
Security practitioners and experts welcome the move, saying the idea of a subsidiary first discussed by RBI governor Rahuram Rajan in May is getting to be a reality.
"RBI insourcing its cybersecurity and IT resources is a positive sign," says Delhi-based Felix Mohan, former CISO, Airtel, and CEO of CISO Cybersecurity, organisation into skill development. "This will help equip the sector with tools to combat cyber-threats.
"There are several qualified CISOs and GM-level within banks and other sectors who are a good fit for the CEO's position," Mohan says.
Hyderabad-based IDRBT is involved in setting up the IT subsidiary and prescribing guidelines and policies. However, Dr A S Ramasastri , director, IDRBT, declined to comment to ISMG.
Official sources say the IT subsidiary will act as a think-tank for innovation, big systems and new ideas.
Eligible candidates should hold a post-graduate degree in engineering/technology with a bachelor's in computer science, electronics, and communication engineering systems management.
RBI's chief general manager-in-charge, Department of Information Technology, says prospects in the age group 45-55 years must have a minimum 10 years of experience in the IT industry, preferably in cybersecurity and IT systems audit and assessment and implementation of critical IT systems. The critical criteria is at least five years at a senior level as head of a large unit of an IT company or IT unit of a bank/financial institution.
Coimbatore-based S N Ravichandran, cybercrime investigator and member of Cyber Society of India and DSCI, says the candidate must be technically qualified with managerial skills and understand the legal system and laws relating to security to combat cybercrime."
"Today, for banks, security means protecting their backs and passing the responsibility to the customer," he says. "Banks are increasingly changing from guardians of depositors to just a deposit locker where the keys to the safe lie with them and the security of the deposited money lies with the customer: a responsible security head is the need of the hour to protect customer assets."
RBI says the CEO will be initially designated as Officer on Special Duty up to one year and thereafter as CEO for up to two years, renewable by mutual agreement for a further period.
Mohan says developing internal capabilities is good; but an adhoc role for three years is not appropriate. "RBI must consider five years - it takes one to three years to settle down and make concrete plans for a cybersecurity framework; implementation needs time."
As for the 55-years criteria - someone close to retirement would not have the drive to handle regulatory frameworks or innovations, some critics say.
"The candidate must be given sufficient time and empowered to take on the government if it's tardy in formulating laws which help security protect critical infrastructure," Ravichandran says.
Role and Responsibilities
RBI says the new subsidiary will focus on IT strategy for regulation and create a think-tank of high intellectual caliber, apart from guiding the regulated entities on what must be done in the IT area of their operations, and for RBI's IT-related functions. Also, it must effectively participate in setting up standards to strengthen RBI's role as regulator.
The entity will have advisory committees for guidance on cybersecurity, current and futuristic requirements of entities regulated by the RBI, particularly from regulatory and supervisory perspectives and to advise RBI on its IT Systems and projects /procedures.
The subsidiary will report periodically to RBI's apex level committees, too.
Mohan sees RBI adopting a similar model that was absorbed by Department of Telecom for the telecom sector - for training internal teams to conduct audit and issue regulatory guidelines.
According the CGM's statement, initially, the CEO is expected to participate in setting up the IT subsidiary and will be designated Officer on Special Duty and be responsible for establishing an appropriate structure for the company and a team that fits its requirements.
The CEO must anticipate future technology and the fast changing cyber landscape and formulate an IT strategy for regulation and supervision of the cyberspace and service requirements of the Banking and Financial Services Sector.
Critics recommend that RBI empower its IT arm to ensure compliance across associated banks - or else it will be another toothless committee.
More than experience, the prospective leader's skills are important. Ravichandran recommends:
- The CEO should be a decisive leader with the gumption to oppose the RBI board if it tries to ram in technology without preparing a base for it;
- The post must have the powers to penalize banks not compliant with security requirements;
- It must have the imagination and ability to forecast threats and prepare counters to it over the next five years at least.
Hyderabad-based Milind Rajhans, AGM-IT & CISO, The AP Mahesh Coop Urban Bank says, the chief should carry the mandate of helping other associate banks in adhering to infosec policies and standards, instead of playing just another auditor role. "This is important because most banks do not understand the level of integrity required to establish the IT security governance structure within the bank," says Rajhans.
"Since the banking sector is a beacon, RBI should ensure the cybersecurity chief understands that cybersecurity isn't about protecting a single organization, system or device, but the entire cyberspace of the vertical," says Mohan. "A weakness in any of them can become a potential vector for attack on others."