A Harbinger of Change
|P. J. Jacob
Being a 75 year old bank with 45 as the approximate average
age of employees, P. J. Jacob, AGM of The South Indian Bank Limited had
a tough task as employees were not comfortable with the new systems due to restrictions.
by Anil Patrick R
Defender, educator, facilitator, leader, team player, foreseeing enterprise
future, bringer of progressive changesjust some of the unique facets that
make up Security Strategist P. J. Jacob's role. These were revealed during Network
Magazine's interview of The South Indian Bank's technologist AGM to get his
insights on how a CIO can develop full-fledged security strategies. The conversation
also provides interesting perspectives on how a CIO evolved to become a full
fledged Security Strategist.
According to Jacob, an ideal security leader is more of a facilitator than somebody
who inhibits his team. This approach helps get the best results. He attributes
his successes to his team.
"I am lucky to have the right people who have taken real pains in understanding
and implemented technology. I was only a facilitator," he says.
Mastering the learning curve
Jacob's major enterprise security strategizing initiative began in mid-2002
when the bank opted for a core banking system (Finacle). The initiative started
along with the bank's first pilot branch that deployed the system. Upcoming
regulatory requirements like the BS 7799 standard and Basel II made a security
It was not an easy job for Jacob's team due to their lack of exposure to the
planned technology. Core banking solutions and delivery channels like Internet
and mobile banking were used only by the new generation banks at that time.
"The biggest learning challenge was that we had no examples to look at.
We also did not want to copy someone's model, because security requirements
are different from organization to organization," says Jacob.
The strategy is made
These challenges were overcome by intensive discussions internally and with
their consultant Wipro. The security policy was then developed after an intense
study of the bank's branches, head office, in-house applications, data center,
IT division, Regional Cluster Centers (RCCs), and departments over three months.
It defines guidelines and procedures to manage access rights and privileges.
Jacob attributes his strategy's success to the top management's active involvement
"There was active participation from the management side right from the
chairman level. This ensured that we had absolutely no problems due to involvement
from all levels of the organization," says Jacob.
A security forum consisting of top management executives meet every quarter
to discuss security issues that have cropped up. Security policy reviews are
done every six months.
The tech angle
The South Indian Bank uses Finacle in 231 branches and 31 extension counters
(85 percent of the business). The rest of the branches use Automatic Ledger
Machines (ALM) applications. The bank also has 106 ATMs across India. All branches
are connected to RCCs using 64 kbps ISDN lines. The RCCs are connected by 2
Mbps links to the data center.
On the perimeter security level, the bank deploys personal and network level
firewalls. An active IDS has also been deployed to monitor attack attempts.
Anti-virus updates and patches are pushed over the network to branches. Non-connected
branches have regular IT team visits to perform this. Remote network access
is not available to users to lessen security risks.
Log monitoring is done by the IT team and an external consultant. The bank conducts
internal audits along with branch inspections. The IT division's audits are
Change, the only constant
Large scale change management was required for the migration and its associated
security strategies. The challenge was systems diversity across branches. Although
the bank started using computers in 1985, branches had different programs and
systems. The core banking solution took care of consolidation, but not the user
"The greatest challenge was change management. Being a 75 year old bank,
the average age of an employee is around 45 years. Employees were not comfortable
with the new systems due to restrictions," said Jacob.
This successful execution of the task speaks volumes about Jacob's ability to
manage the people elementthe most crucial security aspect. The initial
difficulties were overcome by training and awareness programs. Top level executives
like Regional Managers traveled extensively and had meetings with the employees.
"The advantage was that our personnel, including those in the unions were
very positive. It was clear that if the bank has to survive we need these systems
in place. This helped it gain acceptance," said Jacob.
The South Indian Bank's IT division has a separate training
team and users are trained regularly. The program includes one session completely
dedicated to IT security.
Jacob believes that it's measures like these that have made the change management
very effective in converting an erstwhile old economy bank into a next generation
Anil Patrick R can be reached at: firstname.lastname@example.org