Agnelo D'Souza

Designation: CISO, Kotak Mahindra Bank

Kotak Mahindra Bank’s CISO Agnelo D’Souza believes that there are two primary security challenges for organizations today. One, keeping the colossal amounts of data secure, and the second, security issues surrounding bring-your-own-device (BYOD) policies. As employees get increasingly empowered with smart devices, D’Souza feels that organizations have no option but to propagate a culture of business information security above and beyond mere IT security needs.

D’ Souza has been with Kotak Mahindra Bank for the last seven years. His role has evolved over time, and he is in fact the first designated CISO at the bank. Early on, D’Souza reported to the head of IT infrastructure. His current reporting structure is dual, reporting both to the IT head and risk management. In addition, he regularly updates the bank’s information security committee chaired by the joint managing director, on a quarterly basis.

Although security policies and procedures were in place when D’Souza joined Kotak, they were in silos and operated in isolation. D’Souza started off by getting the information security procedure documented with respect to the ISO27001 standards, instituted a proper framework, and implemented a comprehensive information security management system.

In D’Souza’s early days at the bank, information security was restricted to IT, but it slowly evolved to include business information security as well. Since 2009, in addition to the CISO, there is a business information security officer (BISO) for every business unit at Kotak Mahindra Bank. The BISO is part of the business side of operations, and is responsible for infosec within his/her unit. Training and awareness starts there, with the focus being primarily on data security. There are 28 BISOs supported by over 200 department implementers. Kotak Mahindra Bank has partnered with Mahindra SSG for this initiative.

In 2007, Kotak Mahindra Bank moved to a comprehensive managed security services program with Paladion, which brought a major strategic change, with D’Souza at the heart of it. This initiative has received tremendous acclaim in the industry, according to D’Souza. A documented security policy that was formalized in 2007 is reviewed annually.

Under D’Souza, Kotak Mahindra Bank’s data centers and network operations have been ISO 27001 certified since 2007. D’Souza plans to extend this to an enterprise-wide certification in the future, adding on one division at a time. While the bank follows all processes required from a PCI DSS point of view, it is not mandatory, he says.

D’Souza runs a 24x7 SOC from Bengaluru with an SIEM solution in place. While the outsourcing partner manages the SOC, D’Souza and his team own all the risk. His technical controls range from IDS and IPS through to Web and email proxies as well as other standard controls. D’Souza and his team oversee information security for over 12,000 employees of the bank.

Kotak Mahindra Bank currently depends on Active Directory for single sign-on. D’Souza is now in the process of evaluating data loss prevention solutions. For the future, the bank is looking at master data management to deal with BYOD, and D’Souza expects a rollout of this initiative very soon.