GRC tools high on HDFC Bank’s infosec priorities for 2011

Automation of governance, risk and compliance has been identified by HDFC Bank as its top information security priority for 2011. While discussing his list of information security priorities, Vishal Salvi, the CISO of HDFC Bank informs that the bank is looking at acquiring a GRC tool for bringing automation into the processes of risk assessment, management and mitigation.

Apart from GRC tools, HDFC bank plans to further strengthen its identity and access management practice in 2011 with a special focus on user ID lifecycle management, achieve PCI-DSS certification for the bank’s infrastructure, as well as invest in solutions for data protection (such as digital rights management and encryption). Although Salvi is unable to provide exact figures, he expects security spending to be around 3% to 7% of HDFC Bank’s total IT budget. 

Join Dhwani Pandya of, as she interviews Vishal Salvi for an indepth view into HDFC Bank’s infosec priorities and challenges for 2011.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

GRC tools high on HDFC Bank’s infosec priorities for 2011

Dhwani Pandya: I welcome all of you to SearchSecurityIndia's - Information
Security Priorities of Indian Businesses: 2011 Edition, to help you identify
information security trends of 2011, we had spoken to a few leading
Indian Chief Information Security Officers. I am Dhwani Pandya,
Principal Correspondent with As a part of this
initiative, I would like to welcome Mr. Vishal Salvi, Chief Information
Security Officer of HDFC Bank.  Welcome, Vishal.

What are your key information security priorities for 2011?

Vishal Salvi: The key priorities that we have are we have done a
lot of work on online banking infrastructure strengthening that in order
to counter those threats in the last two to three years, and I think we
continue to extend that and with new threats evolving and with new
threat vectors coming on board, I think we will continue our journey,
in terms of making sure that we continue to strengthen that infrastructure
and are proactive, in terms of fixing those vulnerabilities so that we give
safe and secure computing to the end customers. I think the next key
initiative that we have is looking at governance risk and compliance
automation. There is a lot of work required to be done, in terms of
putting all these things together and better articulation of risk, better
measurement of risk, thereby, better prioritization of risk. The third
initiative is, we actually have started a journey on these areas on just
a couple of years back, in terms of getting our service providers
compliant and continuing to get our merchants compliant. I think
this year's mandate, in terms of looking at bank's infrastructure, so
that project is going to be key in terms of going granular,
in terms of looking at how we fare, viz-a-viz the requirements
of PCI-DSS standard, then starting a plan for remediation in
case there are certain areas where we need to start remediation,
so that is going to be key.

There is work happening related to identity and access management
where we have done some work, but we need to do additional changes,
in terms of integration of these processes together, in terms of how we
doing provisioning, to in terms how do we do IED lifecycle management,
in terms of management reporting and management re-certification.
While having done the technology integration and made some good
progress in risk integration, we would now focus very heavily, in terms
of business integration and see how we are aligning ourselves, in terms
of business requirement, in terms of having a good dialogue, to tell them,
in terms of business value, and also in terms of looking at whether what
we are doing is aligned to the business value expectations that they have,
in terms of whether it is compliance, whether it is risk mitigation, or
whether it is the customer's expectations.

Dhwani Pandya: Can you share with us some details about the initiatives
that you will undertake to address this priority?

Vishal Salvi: Having spelled out the priorities, it is fair to assume that we
would be looking at a tool which will be focusing on governance risk and
compliance automation. We would be looking at specific tools for data
protection. It could encryption or it could be digital rights management.
There could be acquisition and tools for strengthening our identity and
access management stack. There would be much more, for example, we
would be looking at something on perimeter, where we would look at
firewall rules management, and looking at how the rules are working, what
are the obsolete rules, and so forth.

Dhwani Pandya: What would be your key information security challenges in
2011, and how do you want to address them?

Vishal Salvi: Every time, it is all about change management. It is largely
an influential role because business is focused on getting the business,
and it is your responsibility to make sure that you are able to protect that
business. You always need to be on the lookout for what is the most
important thing for the business at this point in time, when it comes to
improving security issues, and be able to translate, influence, and try
that change within the organization. Sometimes you try the change
because of compliance requirements, the client requirements, or risk
mitigation. Make sure that you get the right sponsorship, in terms of
engagement, to make sure that change happens to the organization.
There are other challenges, for example, we are going through a phase
where technology is rapidly changing when it comes to security. It is
going, changing, and there is a lot consolidation which is happening in
the vendor space. As a result, the stability, longevity and supportability of
the tools is actually not 100% sure, and none of the tools, on their own,
meet all the requirements, and a lot of these tools give you something
much more than what you ask for, and you land up actually trying to use
that just because you bought it. That also becomes a big challenge. It
would have been great if we actually get the process right, and the tool
has just become an incidental to that activity.

Dhwani Pandya: Can you highlight how much percentage of the IT budget
would be spent behind information security?

Vishal Salvi: If you look at the percentages that we have seen globally, it
ranges anything between 3% to 7% for decent-sized organizations. I am
not talking about start-ups here, because start-ups may have, most trends
in the initial days, but over a period of time, they stabilize. I think it is around
that, as I said, depending on the changing factors, people may spend on the
higher side, depending on what risk they have for that particular time of the year.

Dhwani Pandya: What trends do you foresee for information security
in 2011?

Vishal Salvi: A lot of the security is driven by compliance; you find most of
the initiatives are largely driven by compliance. Slowly, we are seeing that
changing to customer expectations and customer needs driving that change.
It is, at this point in time, largely driven by companies or industries which are
more dependent on heavy customer expectations, for example, the KPO
industry or the BPO industry, which as a result, we find that security
control is at the highest working level. Over a period of time, that I think
will also extend to banking and to other industries where the customer will
start demanding security in the products that we give, and the customer will
start demanding privacy in the information that they share, standardization
of risk management factors. Globally, I do not think that one has achieved

My sense is that in the next two to three years we will have some more
standardization, in terms of how we define terms like: What will risk mean
to me versus somebody else in my industry? What does threat mean?
What does vulnerability mean, and how will we actually start measuring it?
At this point in time, there are so many standards and there are so many
tools that . . . It is very difficult for one person to come out with a standard
methodology and to be able to consistently follow it. Forget about across
the industry, but within the industry also there are different methods being
used, and they are not complete, also. Completeness of the practice and
standardization of the practice, I see happening in the next two to three

Dhwani Pandya: Thank you a lot, Vishal, for sharing this
insight with us.

Vishal Salvi: Thank you.


View All Videos