Global Banking Perspective: Vishal Salvi, CISO, HDFC Bank in India
In an exclusive interview, Vishal Salvi, CISO of India's HDFC Bank, which Business India named "Best Bank 2008," discusses:
Salvi has 15 years of industry experience having worked in Crompton Greaves, Development Credit Bank, Global Trust Bank, Standard Chartered Bank before taking on the role of Chief Information Security Officer & Senior Vice President at HDFC Bank. Prior to joining HDFC Bank, he has worked in Standard Chartered Bank for eleven years and played variety of roles in IT Service Delivery, Governance and Risk Management and Information Security. At HDFC Bank, Vishal heads the Information Security Group and responsible for driving Information Security strategy and its implementation across the Bank & its subsidiaries.
HDFC Bank, based in Mumbai, India, was incorporated in August 1994, and, currently has a nationwide network of 1412 Branches and 2890 ATM's in 528 Indian towns and cities.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking about global banking issues today, and I am privileged to be speaking with Vishal Salvi, the CISO with HDFC Bank in India. Mr. Salvi, thank you so much for joining me today.
VISHAL SALVI: Thanks for having me here.
FIELD: Very good. What can you tell us about your institution and your role there as CISO?
SALVI: My role in the bank is to drive the information security strategy, security policy, manage and deal with risk managers to ensure that we have a proper risk management team moving forward looking at information security issues, high level program management of all information security initiatives and driving the security strategy pretty much forward in the bank.
FIELD: What do you find to be your greatest security and risk management concerns today at the bank?
SALVI: In the field of banking, one of the key areas and things that is important for us is to ensure that we have the customer's trust ... to ensure that we have the highest degree of confidence that they have in terms of keeping the money and realizing the terms of the different channels that they use while banking with us. So you know there will always be different stakes and different risk factors around us. When we look at online banking, and although everything is now electronic and everything is now online and the money is flowing electronically, we need to ensure that you have the integrity ... and obviously the opportunity of the data and information that is given for the customers. So we pretty much work under the three pillars of information security, but you know, underlying that it is more important to make sure that all of these channels are having the rights rewards and to investigate from a security point of view to be able to address the new and growing threats which surrounds the banking industry in particular, but generally all industries as a whole.
FIELD: Now do your customers do a lot of mobile banking as well as online banking?
SALVI: Mobile banking in India not yet found a channel ... Whereas when we look at online banking, it has been around a few years now, about five or six years. Having said that, it has been a [small] market primarily because we still have 5,000 penetration in terms of the internet users in India. So there is a lot of opportunity and potential for online fraud, and obviously mobile banking as well. I guess it would be largely in the next one or two years it will be focused more on internet banking while the mobile channel picks up [customers] of the bank.
FIELD: I understand. Now in the United States, the threats that we talk about a lot are fraud from the outside and the internal insider threat. What do you find to be the greatest security threats now to your institutions?
SALVI: I've seen some reports about 30% of threats being insider and 30% being from outside. I think my take on this is that you know there are--if you look at the threats, and you know the reason for disclosures which have happened for insider fraud is largely focused on the process side more and less on the actual consumer side. So, you know, my view is that one needs to work at a strategy which will focus on both your internal controls as well as external controls. I think we need to be focused on both areas equally, so that you will be able to tackle both these issues at the same time rather than start worrying about one after another.
FIELD: So it doesn't sound like your threat landscape is really any different than what the institutions see here in the U.S.?
SALVI: Well, absolutely. I think the only thing I would say is the threat landscape is changing rapidly. I would say that it follows the penetration in terms of the usage ... so as we see more and more increase and we are seeing the user [base grow] in the Indian market as far as online banking is concerned, we are seeing more and more increase in the threat landscape.
FIELD: Now as you know, as a bank you can educate your customers, but they have to take certain steps to protect themselves. With your online customers how well are they protecting themselves from the threats that you see in the marketplace?
SALVI: Here we see a key part of our customers are informed, and we send them awareness messages. We have posters throughout branches. Having said that, one cannot just rely on awareness as a strategy to be able to conquer this issue because you can't assume that all but some are aware and not fall prey to such fraudulent activities like phishing and fraudulent attacks. So we have also had a strategy of having a communication solution, which is actually sitting and working on all of net banking solutions to be able to directly protect our customers from falling prey to these attacks. So I think it is a combination of both. You need to give solutions such as technical control so that you make it error proof and fraud proof for the customer, and at the same time you also have a continuous internet campaign for people not to fall prey to activities or fraud.
FIELD: Now are these measures just measure that you take as your own responsibility at the bank, or are they mandated by your regulator?
SALVI: The regulator plays a very active role in looking at what all of the banks are doing as far as these counter measures are concerned. There are obviously banks who are doing more than others, but I think the regulator does keep on looking at what is happening, suggesting specific actions to be taken by some banks more than others. So I would say they are playing a very active role ... Having said that, banks like us are proactive enough to not just go by what the regulators are asking us to, but doing more to make sure that we are proactive enough to be able to predict how the trends are moving and then accordingly take the necessary steps and countermeasures to be able to protect our customers' interests.
FIELD: You talked about customer trust earlier. Has that been impacted at all by the recession? It sounds like perhaps not -- that the banking institutions really haven't been affected as deeply as the American ones have.
SALVI: If you look at it from our bank perspective, you know we've been having--since the bank was formed we have been having a consistent growth of 40%, and in last quarter we had a growth of 45%, so I don't think there has been any direct impact right now on what's happening. But we expect to grow with the same numbers because we have been a very conservative bank right from the beginning, and as a result we have been focusing more on the pure banking than the different products, so we have kind of in the current situation. With the markets going down, we've kind of been in a sweet spot because a lot of people actually moved through the banking industry and started depositing more money there, which was really where we were actually where our bank in focused on low cost deposits.
FIELD: We've talked about some of the challenges and the issues that you are working on. From your perspective, were you to encounter another banking and security leader struggling with some of the same challenges, what advice would you give to them?
SALVI: Well, I think if you look at a security management role, I would say it is something which is ongoing. One needs to look at it purely from the point of view of how you improve the game as you go along, how you build the maturity of an organization as you go along. It is not a [situation] where you do something, and that's it and you know it is [done]. There are always certain things which you will have to concede for the better of the future of what you are trying to achieve. Your role is to be a change catalyst ... don't find solutions for problems that you don't have, but just focus on the problems that you have and try to work on a solution that is more effective.
FIELD: That's very well said. I appreciate your and your insight today, thank you so much.
SALVI: Pleasure talking to you, Tom.
FIELD: We've been talking with Vishal Salvi, CISO with HDFC Bank in India. For Information Security Media Group, I'm Tom Field. Thank you very much.