- Significantly revamped Axis Bank's security culture and posture
- Successfully switched to a managed security services model
- Conducted a rigorous VA-PT campaign for all critical applications and processes
- Achieved ISO 27001 compliance for ATM and Internet banking segments, instrumental in Axis Bank's bid to bring Data center and DR under compliance umbrella by 2012
Nabankur Sen is Axis Bank's first CISO, the position having been created in September 2010. Sen believes his greatest achievement as CISO at Axis Bank is implementing a culture of security in the organization. He is known to be stubborn and unless all the requirements are adhered to, a go-ahead from security is never given. The bank's employees, he says, have now begun to go that extra mile to address security issues.
Sen has been with Axis Bank since 2005. While he joined as head of information system audits, given his prior experience in security at State Bank of India, he was consulted when Axis Bank's security policies were first framed in 2009. Since taking over as the CISO 18 months ago, Sen and his team have worked hard to bring Axis Bank's security posture up to speed.
A major change that Sen brought about was the implementation of managed security services from Paladion. Earlier, one of Sen's first moves was to revise the bank's security policy document, and get it approved by the board of directors. Paladion now manages the security policies, which are constantly tweaked.
Going for a managed services model has enabled Axis Bank to rapidly overhaul its security mechanism. All applications and hardware now undergo compulsory VA-PT testing and hardening before being allowed into the IT infrastructure. Sen identifies application security as a major challenge and his team constantly checks applications for vulnerabilities.
He is averse to risking exposure and insists that applications pass his VA tests before going live. On occasion, when business factors are deemed more important and risks are low, he facilitates production on the precondition that a definite timeframe be fixed for rectifying security holes.
Sen has support from Axis Bank's security committee, headed by the executive director, CFO and other top level CXOs, in this endeavor. He is responsible for updating the committee every quarter on the bank's security posture. After initially reporting to the head of the IT function, Sen now reports directly to the ED and the CFO.
With Sen at the helm, Axis Bank received its initial ISO 27001 certification in 2009 for its ATM and Internet banking segments. Sen plans to bring Axis Bank's entire data center and disaster recovery centers under ISO 27001 certification by June 2012.
Sen's aim is true when it comes to technical controls. His team operates a 24x7 SOC and the bank has gone one step ahead and is in the process of implementing a privileged user management (PUM) solution for their database administrators and other super-users. In addition, Sen's technical control basket is chockfull of solutions such as IRM, Internet VPNs, load balancers, log monitors, anti-phishing solutions along with two-factor authentication systems for Internet banking, and Web application firewall (WAF) for legacy applications.
Sen plans to implement a DLP and IDAM solution in the coming year. His products and technical controls basket is already planned for next year, he says, and has received an 'in-principle' approval.
Sen has been an IT professional for over 30 years, having started out as a software developer. He switched over to system audits and security in 1995. Known for his people management and team-building skills, Sen operates a core team of 15, which includes expertise from the service provider. Sen's app basket carries over 300 critical applications. He and his team are responsible for securing an organization of over 30,000 individuals.
This was first published in February 2012