- Revamped Shoppers Stop’s information security posture in six months
- Realigned the information security policy to current standards
- Instrumental in Shoppers Stop’s bid for PCI DSS and ISO 27001 certification
- Effectively streamlined critical business processes
Shobitha Hariharan does not have what one might call the “typical” background for a CISO. Then again, the realm of information security abounds with people who “just kind of stumbled into it.” Coming from a law and accounting background, Shobitha’s first tryst with technology was her stint at BillDesk, an online payment gateway.
At the time of Shobitha’s joining, BillDesk was still a startup. As with most startups, Shobitha was involved with multiple operations, giving her an opportunity to improve systems at BillDesk by giving workflow suggestions for the existing technologies and applications. The true initiation into security came when RBI mandated that third-party service providers undertaking financial transactions should get compliant under PCI DSS and ISO 27001.
Shobitha was instrumental in BillDesk getting these certifications, and then maintaining them for nearly three years. She instituted security policies, managed the internal cleanup, and ended up with some solid hands-on experience in security and risk management.
Shobitha joined Shoppers Stop in May 2011, when the position of CISO was created in the organization. Before Shobitha, information security was being handled by the IT team. She started by formalizing the security documentation, which, although in existence earlier, lacked review. Within six months, Shobitha has managed to map the security policy to the organization’s current state. As she puts it, “There is no team; I am the army.”
The current version of Shoppers Stop’s security policy is more robust, and better mapped to the requirements of the business and in context of India and the retail industry. Earlier, what was done on the technology front did not reflect in the documentation and vice versa, which has since been amended.
Shoppers Stop is presently in the process of conducting audits and implementing this new security policy. Shobitha is also working on rolling out a formal awareness program in early 2012, for certain teams specifically and the organization globally. She believes that for a program to be sustainable, the employees need to be able to connect to it; just starting newsletters one fine day is not going to cut it.
Shobitha reports in to the CTO of the Shoppers Stop Group. All infrastructure and applications at Shoppers Stop are common, with customization as required for the various business units. A corporate IT team handles all key applications, with each business having its own IT head. The CTO, IT heads and Shobitha together form a core team that handles information security at Shoppers Stop.
Shobitha has leveraged her previous experience to get under the skin of business-critical processes. Having delved deeply into the working of the various processes at Shoppers Stop, she has been able to sensitize the process teams handling critical processes to the importance of information security, creating hands-on awareness.
While Shoppers Stop is not bound by regulatory compulsions to obtain any certifications, Shobitha believes that one must nevertheless work towards certification, or at least set a certain level of standards to adhere to. The challenge, she says, is to work towards achieving compliance with critical standards such as PCI DSS or ISO 270001, and then continuing to remain compliant.