Designation: VP & Global Information Security Leader, Genpact
- Managed a secure separation from GE’s infrastructure in 2005; built a parallel security infrastructure with minimal downtime
- Achieved alignment to BS7799 in 2004, which went on to become ISO 27001
- Successfully managing integration of acquired businesses into Genpact
- Successfully implemented a wide array of preventive measures
As the CISO of Indian BPO major Genpact, Adapa Raja Vijay Kumar is one of the few security leaders who can boast of building the security infrastructure in their organizations from the ground up. When GE sold out its stake in Genpact in 2005, Kumar was part of the effort to set up a parallel security infrastructure from scratch and achieve separation from the parent company, with minimal downtime.
Genpact has been in business since 1998, when it was started as a captive BPO to GE. Genpact was still following GE standards up until 2003, when Kumar was given the mandate of revamping the organization’s information security policies and procedures.
Being in charge of information security for India’s largest BPO has not exactly been a cakewalk. Genpact operates over 35 sites in 13 different countries, and Kumar is in charge of information security for over 200 global customers, each with thousands of processes. Add to this a workforce of over 50,000 employees and Genpact’s voracious appetite for acquisitions, and you have your work well and truly cut out for you.
A big challenge Kumar faces today is integrating fresh arrivals into Genpact’s existing network and managing security provisioning, given the varied nature of their businesses. Catering to its constituent parts, while remaining flexible, has been one of Genpact’s biggest challenges — something which Kumar has nimbly managed.
At the outset, Kumar’s team drafted Genpact’s first global security policy document. The implementation was initially rolled across all of Genpact’s India sites. It is around this time, in 2004, that the organization also aligned itself with BS 7799, which went on to become the ISO 27001 standard.
Genpact also has a veritable cornucopia of compliances with very tight contractual requirements to adhere to across the geographies it operates from. Given the nature of Genpact’s business, protecting sensitive customer information is the prime motivator for Kumar.
The reporting chain at Genpact highlights the evolution of the security function, with Kumar reporting to the CTO, who in turn reports to the CIO, then on to the CEO.
In addition to ISO 27001, Kumar’s team manages several compliances such as ISO 9001 for BCP and PCI DSS. The team is also responsible for driving organizational compliance for HIPAA and SOX, and regional compliance such as PIPA in China.
After successfully separating Genpact from parent GE, Kumar’s next big challenge came in 2008, when Genpact made huge investments in technical controls and focused on incorporating as many preventive controls as possible. This had to be achieved without impeding business. Starting from antivirus, firewalls, patch rollout tools and other such basics, Kumar’s tool basket now runs the gamut with log monitoring and event correlation tools, DLP, NAC, encryption and vulnerability assessment tools. Kumar also operates a 24x7 SOC in-house.
Looking to the future, Kumar wants to take up the challenge of providing a secure social collaborative platform for employees and support for personal devices. While caution has always been Kumar’s byword, he feels that the best approach with new initiatives is to manage the potential risks rather than perpetually say “No” to the business.
This was first published in February 2012