Designation: CISO, HDFC Bank
- Achieved 100% compliance to security policy among HDFC Bank’s 40,000+ employees
- Completely overhauled HDFC Bank’s security policy design
- Implemented security metrics measurements using ISO 27004, and the 24x7 automated SOC
- HDFC Bank ranked 12 out of 150 organizations globally by ISF Benchmark Standards Survey in 2009
Vishal Salvi is among the leading ambassadors of the new CISO breed in India, and heads the information security function at HDFC Bank. Today, HDFC Bank boasts 100% compliance to its security policy — no mean feat, given that it employs over 40,000 people.
A testament to HDFC Bank’s foresight, Salvi has been pitched in a strategic role from day one. A perfect example of the CISO’s changing role in today’s business environments, Salvi leveraged this opportunity to the hilt, instituting an evolving security policy without hindrance to the business.
Soon after he joined the bank in 2007, Salvi and his team set to work. His first priority was to completely overhaul the bank’s existing security policy within six months, with a focus on design. He engineered a ground-up change in the infosec strategy framework at HDFC Bank, and played an instrumental role in the bank’s bid to automate its manual processes.
On the way, Salvi successfully leveraged the expertise he had garnered from a decade of exposure to global standards and processes with majors such as Standard Chartered Bank. Today, HDFC Bank’s security policy revolves around design, awareness, control implementation and governance. Membership of the Information Security Forum (ISF) came next. Under Salvi’s leadership, HDFC Bank ranked 12th out of 150 global entities in ISF’s Benchmarking Standards Survey, 2009.
A firm advocate of leading from the front, Salvi believes in taking infosec challenges head on. Even as his contemporaries still work on getting their act together, HDFC Bank is one step ahead, measuring its security metrics under ISO 27004. Salvi has successfully driven change across the bank’s security culture, spreading his security policies across three logical sections — users, practitioners and the organization. After the adoption of ISO 27004, decision makers at HDFC Bank have access to automated monthly organizational security dashboards.
On the incident response front, Salvi’s team operates a 24x7 on-site automated security operations center (SOC). HDFC Bank’s IT operations and data centers have been ISO 27001 certified since 2009. During his stint, Salvi has also put in place a partnership to secure HDFC Bank’s online banking stack using RSA’s adaptive authentication and key fraud network. Salvi aims to achieve end-to-end automation in an operational mode by the second quarter of 2012. Under his leadership, HDFC Bank is now working on incorporating DLP/DRM solutions, along with automation of its IAM system.
Today, HDFC Bank’s security committee comprises of the bank’s executive director (ED) and group heads, with Salvi reporting directly to the ED. Overseeing business continuity is also one of Salvi’s responsibilities.
When it comes to future of the CISO’s role in India, Salvi envisages a structure wherein CISOs do not report to technology. He feels that information security is not a rubber stamp department; it should be categorized under risk, where it rightly belongs.