RBI Seeks Four VPs for New IT ArmBut Shouldn't the Regulator Appoint a CEO for the Group First?
The Reserve Bank of India is all set to recruit senior vice presidents for each of four vertical functions of its proposed new IT subsidiary. And yet, surprisingly, the regulator doesn't seem to have made much progress in finding a CEO to the lead team.
Hyderabad-based IDRBT, which is involved in setting up the IT arm and finding a CEO, has not commented on the issue. RBI's official spokesperson, too, did not respond to ISMG's request for comment about the proposed delay (see: RBI Seeks CEO for New IT Arm ).
While RBI's framework and process-driven approach are well appreciated, along with its focus on cybersecurity, the delay in finding a CEO to head its long-awaited IT subsidiary is concerning
RBI, though, is clear in what it wants in its new VPs: motivated professionals with extensive domain knowledge in IT related areas, particularly in:
- Research and innovation, including collaboration with other institutions;
- IT Systems, audit and assessment of RBI-regulated entities;
- IT project management, including support and advisory services.
RBI also says these vertical heads must have exposure to digital technology, anticipate future technology and respond to the fast-changing cyber landscape in the broad areas mentioned above.
Reasons for the Delay: Finding Resources?
While RBI's framework and process-driven approach are well appreciated, along with its focus on cybersecurity, the delay in finding a CEO to head its long-awaited IT subsidiary is concerning.
Many IT and security practitioners in India are exploring new job opportunities, are ready to take up new challenges and meet the RBI criteria. What, then, is the issue? Do RBI's conditions restrict the supply of IT professionals?
The key issue could be that RBI is not creating permanent roles for its IT subsidiary. For instance, it says the CEO will be initially designated as Officer on Special Duty up to one year, thereafter as CEO for up to two years, renewable by mutual agreement for a further period.
Responding to this, Felix Mohan, former CISO of Airtel and CEO of CISO Cybersecurity, an organisation that focuses on skill development, notes, "RBI's initiative to develop internal capabilities is good; but an ad hoc role for three years is not appropriate. It must consider five years. It takes one to three years to settle down and make concrete plans for a cybersecurity framework; implementation needs time."
While RBI doesn't specify if the vertical function is ad hoc, it's assumed that these roles could also be short term, as is the practice. The heads of the verticals will respond to the CEO.
The notification says these senior vice presidents are also expected to continuously interface with the industry, including start-ups and fin-techs, to be updated about ongoing innovations and advise on the desirability of implementing or responding to such developments.
Eligible candidates should be graduates in engineering/technology-related subjects, such as computer science, electronics, communication engineering and systems management. A post-graduate qualification is an added advantage.
The senior vice president's role requires a minimum of 10 years in IT in the respective areas, out of which at least five years are to be as head of respective functional areas in IT companies. Also, the age group is 35-45 years.
But unless the posts are permanent, and the candidates are given sufficient time and empowered to build an effective cybersecurity plan, there may not be great interest in the post.
Cause of Concern
The primary challenge that I see facing RBI is lack of specifications of the role and its modus operandi.
It's definitely a positive gesture that the team is envisioned to act as a catalyst for innovation, big systems and new ideas - apart from its capability to guide regulated entities in the cybersecurity areas of their operations. But it's all about how and when, something that lacks clarity. Given the speed at which the threat landscape is changing, and recent cyberattacks on the banking sector, it's time the regulator acted quickly, given the objective of strengthening cybersecurity in the Indian banking sector. The lackadaisical approach is causing concern for many security practitioners.
RBI, then, must get out of its bureaucratic structure and make quick decisions on cybersecurity initiatives. If required, it must rewrite its security guidelines and also incorporate the data breach disclosure mandate for all banks, compelling them to adhere to it.
How soon can RBI's new IT arm see the light of the day? What's your take on RBI's recruitment process? Is there an alternate route? Share your comments in the space below.