A Harbinger of Change

P. J. Jacob

Being a 75 year old bank with 45 as the approximate average age of employees, P. J. Jacob, AGM of The South Indian Bank Limited had a tough task as employees were not comfortable with the new systems due to restrictions. by Anil Patrick R

Defender, educator, facilitator, leader, team player, foreseeing enterprise future, bringer of progressive changes—just some of the unique facets that make up Security Strategist P. J. Jacob's role. These were revealed during Network Magazine's interview of The South Indian Bank's technologist AGM to get his insights on how a CIO can develop full-fledged security strategies. The conversation also provides interesting perspectives on how a CIO evolved to become a full fledged Security Strategist.

According to Jacob, an ideal security leader is more of a facilitator than somebody who inhibits his team. This approach helps get the best results. He attributes his successes to his team.

"I am lucky to have the right people who have taken real pains in understanding and implemented technology. I was only a facilitator," he says.

Mastering the learning curve

Jacob's major enterprise security strategizing initiative began in mid-2002 when the bank opted for a core banking system (Finacle). The initiative started along with the bank's first pilot branch that deployed the system. Upcoming regulatory requirements like the BS 7799 standard and Basel II made a security strategy imperative.

It was not an easy job for Jacob's team due to their lack of exposure to the planned technology. Core banking solutions and delivery channels like Internet and mobile banking were used only by the new generation banks at that time.

"The biggest learning challenge was that we had no examples to look at. We also did not want to copy someone's model, because security requirements are different from organization to organization," says Jacob.

The strategy is made

These challenges were overcome by intensive discussions internally and with their consultant Wipro. The security policy was then developed after an intense study of the bank's branches, head office, in-house applications, data center, IT division, Regional Cluster Centers (RCCs), and departments over three months. It defines guidelines and procedures to manage access rights and privileges.

Jacob attributes his strategy's success to the top management's active involvement and commitment.

"There was active participation from the management side right from the chairman level. This ensured that we had absolutely no problems due to involvement from all levels of the organization," says Jacob.

A security forum consisting of top management executives meet every quarter to discuss security issues that have cropped up. Security policy reviews are done every six months.

The tech angle

The South Indian Bank uses Finacle in 231 branches and 31 extension counters (85 percent of the business). The rest of the branches use Automatic Ledger Machines (ALM) applications. The bank also has 106 ATMs across India. All branches are connected to RCCs using 64 kbps ISDN lines. The RCCs are connected by 2 Mbps links to the data center.

On the perimeter security level, the bank deploys personal and network level firewalls. An active IDS has also been deployed to monitor attack attempts. Anti-virus updates and patches are pushed over the network to branches. Non-connected branches have regular IT team visits to perform this. Remote network access is not available to users to lessen security risks.

Log monitoring is done by the IT team and an external consultant. The bank conducts internal audits along with branch inspections. The IT division's audits are outsourced.

Change, the only constant

Large scale change management was required for the migration and its associated security strategies. The challenge was systems diversity across branches. Although the bank started using computers in 1985, branches had different programs and systems. The core banking solution took care of consolidation, but not the user issues.

"The greatest challenge was change management. Being a 75 year old bank, the average age of an employee is around 45 years. Employees were not comfortable with the new systems due to restrictions," said Jacob.

This successful execution of the task speaks volumes about Jacob's ability to manage the people element—the most crucial security aspect. The initial difficulties were overcome by training and awareness programs. Top level executives like Regional Managers traveled extensively and had meetings with the employees.

"The advantage was that our personnel, including those in the unions were very positive. It was clear that if the bank has to survive we need these systems in place. This helped it gain acceptance," said Jacob.

The South Indian Bank's IT division has a separate training team and users are trained regularly. The program includes one session completely dedicated to IT security.

Jacob believes that it's measures like these that have made the change management very effective in converting an erstwhile old economy bank into a next generation enterprise.

Anil Patrick R can be reached at: anilpatrick@networkmagazineindia.com