SearchSecurity.in CISO Power List 2012 Profile: Pankaj Agrawal, CISO & Head of Technology Governance, Aircel
Designation: CISO & Head of Technology Governance, Aircel
- Robust security architecture built in from the ground up
- Managed and consolidated infosec polices across locations
- Instrumental in comprehensive policy compliance initiatives and exception management
- Instrumental in designing Aircel’s DR policy and network threat model
When Pankaj Agrawal joined Aircel as its first CISO four years ago, the organization was a small, regional telecom operator poised for the big league. Plans were afoot to take Aircel national, but the obstacles were formidable. Agrawal was tasked with helping facilitate this massive transformation by overhauling IT and security at Aircel. Aircel took the leap two and a half years ago, and has achieved spectacular growth since then.
Agrawal was part of the team that rolled out Aircel’s massive application stack and consolidated the three existing hubs at Chennai, Coimbatore and Kolkata, into a centralized system in Gurgaon. He transformed IT at Aircel by signing up Wipro for a total strategic outsourcing partnership to keep pace with Aircel’s explosive growth.
During the pre-consolidation phase, Agrawal’s greatest challenge was devising a policy to deal with different IT frameworks and applications at the different hubs. Existing policies were ad hoc. Controls had to be adapted to take into account infrastructure and technology constraints that prevented newer controls from being implemented. This resulted in three separate interim policies being prepared. Later, during consolidation, a new policy was drafted for the planned state-of-the-art applications and systems.
In addition to his role as CISO, Agrawal is also responsible for the governance of strategic IT and technical outsourcing partnerships, and is the owner of all IT processes at Aircel. For IT governance, Pankaj reports to the head of the technical solutions group, the equivalent of a CIO. Additionally, he reports to both the CIO and the CTO for security.
Compliance is taken very seriously at Aircel, says Agrawal. Aircel’s data center is ISO27001 compliant and has not seen even a single minor deviation from the standard for two years running. Additionally, a comprehensive exception management process exists. All exceptions need duly filled exception forms, listing compensating control and target date for closure. Policy review is an annual affair, and happens through an exhaustive internal assessment.
Aircel is the textbook example of built-in security. With the entire IT backbone being rolled out afresh, Agrawal was able to build in security into the system from the ground up. Each of the 60-odd applications in Agrawal’s basket underwent exhaustive VA-PT and code reviews before going into production.
At Aircel, identity and access management (IDAM) was implemented in the first phase of the IT transformation. User lifecycle management and single sign-on for all applications have been available from day one. Agrawal says that this has paid huge dividends, and enabled Aircel to leapfrog many issues endemic to standard IDAM implementations.
A strong proponent of metrics, Agrawal believes scientifically designed metrics and dashboards are key indicators for efficient IT and security management. He operates a 24x7 SOC managed by Wipro. Agrawal has also set up a dedicated security investigation and analysis/forensics team, which works with the SOC operational team to focus on bridging gaps in compliance and security.
Agrawal is also responsible for securing Aircel’s active cellular network. With the core telecom networks becoming IP enabled, direct exposure to the Internet now makes them as vulnerable as IT systems, he says. Aircel is in the process of perfecting an innovative and comprehensive network risk assessment model to address this. For the near future, Agrawal plans to implement an enterprise-wide unified ISMS and a data protection program. Prior to rolling out a DLP, a data classification exercise has been completed. An IRM and a DRM solution are also in the pipeline.
>>Read the next profile..