Designation: CISO, ICICI Bank
- Ensures proactive posture towards security, with excellent management buy-in focusing on risk management and governance
- Pioneered implementation of an SIEM system in 2009 with a 24x7 SOC
- Achieved ISO 27001 certification for all critical infrastructure in 2010
- Proactive security measures leveraging NAC, IAM technologies for end-to-end coverage
Sunil Dhaka, the CISO at ICICI Bank, is well known in the industry for his expertise, and has a reputation for leading from the front. Dhaka joined ICICI Bank in March 2007, at which time, he says, the threat scenario was undergoing a change, altering the bank’s risk profile. The immediate requirement was to secure the bank’s applications that were undergoing frequent changes to meet business requirements.
Dhaka set about overhauling the infosec policy to bring it up to speed with the new IT and business environment. An NDA graduate, Dhaka is a proponent of pro-active security. Dhaka firmly believes that the responsibility for security must be owned by every individual, and not just a single team or person.
At the time of his joining, infosec at ICICI Bank was being driven from a purely compliance perspective, regulated by RBI guidelines. Under Dhaka, the infosec policy revolves around architecture, risk management and governance. Dhaka reports to a director-level executive with the designation of president – in effect, the bank’s CTO.
The information security policy that Dhaka and his team conceptualized is a live document that involves much more than a mere point-in-time review. Dhaka splits his risks into applications and systems, with applications undergoing rigorous vulnerability assessment testing before going live and systems following a predefined hardening policy against which checks are carried out.
Dhaka’s team pioneered the implementation of an SIEM system in 2009, to monitor security events proactively, at a time when others were still busy putting up reactive security measures. This was a game changer according to Dhaka, since using legacy methods to analyze logs from all available sources would mean that a response could only be reactive at best. This being one of the first SIEM deployments, the associated learning curve was steep. Dhaka was also responsible for setting up a 24x7 SOC to monitor all parts of the banks business including retail banking, corporate, international subsidiaries and customer transactions.
Under Dhaka’s leadership, ICICI Bank’s entire customer facing and critical infrastructure is ISO 27001 certified including its data centers and DR sites, the security for which is also part of Dhaka’s portfolio. His team is responsible for governing over 80,000 endpoints, around 70,000 employees and an app basket of over 1000 applications.
On the technical front Dhaka has added a unique flavor by layering controls such as an enterprise-wide network access control (NAC). DLP solutions are in the process of being rolled out. The bank also boasts of an identity and access management system which carries out an end-to-end IAM, with workflow automation.
With 12 years’ experience in infosec, Dhaka was previously the head of information security at ABN Amro’s central enterprise services. He also served 20 years in the Indian Navy, specializing in anti-submarine warfare. He retired with the rank of commander.
Dhaka believes that justifying security is always going to remain a challenge, and adds that security needs to be portrayed as an enabler rather than as a cost center. He feels that keeping up with a rapidly changing threat scenario is the greatest challenge that today’s CISO faces, in addition to acquiring and retaining skilled manpower.