- Standardization of infosec policy across GMR group
- Key person behind GMR’s IDAM and DLP implementations
- Responsible for refinements in security policy and focus on bringing infosec under business risk
- Instrumental in grassroots-level awareness programs and bid for future governance and mobility initiatives
Designation: CISO, GMR Group
Subrahmanya Gupta Boda, the chief information security officer at the GMR group, believes that when it comes to information security, every business can be reduced to the same variables, provided one excludes the abstraction of the business, operations and infrastructure; while the stakeholders might change, the processes, risk management and asset categorization will remain the same. Thus, believes Boda, different projects can be standardized under common documentation and processes.
Boda joined GMR in late 2010 as its second CISO. He is responsible for managing information security for close to 140 internal subsidiaries at GMR’s three locations, namely, Bengaluru, Delhi and Hyderabad. As GMR expands, the locations are likely to at least triple in number during the next 12 months. Boda has a core corporate team of three reporting directly to him, while Boda himself reports to the group CIO, who in turn reports to the CEO.
Boda’s predecessor left the legacy of a documented infosec policy and an ISO 27001 certification. This could be considered a good springboard for any CISO to inherit, but Boda, having joined seven months later, found that massive gaps in security had sprung up in the interim. It was almost as if no documentation existed, he says.
His first task was to lick GMR’s security posture into shape and sustain the ISO certification, to which end he started pushing for periodic audits and gap analysis. His second major challenge upon joining was that the extent of the ISO certification was limited to the GMR unit in Bengaluru, even though other locations had documented security policies. Boda began standardizing the policies, with the corporate policies becoming the umbrella policy for the entire group.
The major amendment that Boda made to the infosec policy was strengthening of the business continuity of GMR’s information security management system and a bid for BS 27999 for GMR’s IT division, which was completed in April 2011. Boda’s focus since then has been to integrate infosec into the business.
Boda feels that lack of security awareness is a major issue, given the limited technology penetration. Awareness training thus ranks high on Boda’s list. User training is conducted regularly, with induction training, site visits and roadshows at all locations, including GMR’s highway projects. GMR also has a computerized learning management system, and infosec is included in the code of business conduct, which is part of the employee sign-off.
GMR’s data loss prevention initiative started rolling out last October, and is managed by Boda’s team. Post implementation, Boda says the responsibility for the DLP will be owned by the business and not the CISO, separating DLP incidents from IT incidents. This refinement is to ensure that business risk is owned by the business, he says.
Boda instituted a 24x7 SOC with an SIEM solution, which is vendor managed. GMR’s IDAM implementation is almost complete. Boda has stabilized patch management and manages a standard technical control set including IDS, IPS, AV and firewalls. His app basket has over 100 critical apps — predominantly SAP and Microsoft based — and his team secures over 4,000 endpoints.
Boda has big plans for the next four years. Starting with the evolution of his DLP initiative, he plans to also look at standardization of security governance, mobility management and GRC. Standardization of application testing and regular VA-PT exercises will be ongoing from 2012, he says.