Nandkumar Saravade Is CEO of RBI's New IT ArmSecurity Leaders Set Expectations for the New Chief
Data Security Council of India's CEO, Nandkumar Saravade, has been formally named CEO of the Reserve Bank of India's new IT subsidiary. Saravade reportedly assumed the new role on June 1.
ISMG reached out to Saravade who confirmed taking charge of the new role.
According to multiple sources, the talks about appointing Saravade had been going on for some time, and May 31 was his last working day as head of DSCI (see: Nandkumar Saravade is New CEO of DSCI).
RBI announced setting up its subsidiary to take care of IT requirements last year, and since late 2015 has been scouting for a CEO to lead the team (see: RBI Seeks CEO for New IT Arm ).
Hyderabad-based IDRBT had been helping RBI find a suitable candidate. Dr. A. S. Ramasastri, director, IDRBT, also confirmed Saravade's appointment.
Reserve Bank of India's new IT subsidiary will focus on IT and cybersecurity (including related research) with specific focus on the financial sector, and assist in IT systems audit and assessment of RBI regulated entities. It will also advise, implement and maintain RBI's internal or systemwide IT projects (existing and new) and manage RBI's critical IT systems.
Security practitioners and experts welcome the move, saying RBI insourcing its cybersecurity and IT resources is a positive sign.
"It's a good move," says Mumbai-based Dinesh Bareja, COO of Open Security Alliance and founder of India Watch. "Saravade has vast experience in handling security - he will be proactive and bring all constituent banks under a strong cybersecurity ecosystem."
Role and Responsibility
As per RBI's statement, the CEO will be initially designated as "officer on special duty" for up to one year and thereafter as CEO for up to two years, renewable by mutual agreement for a further period.
However, sources believe it could be a full-term role until the executive's superannuation.
RBI says the entity will focus on IT strategy for regulation and create a think-tank of high intellectual caliber, apart from guiding regulated entities on what must be done in the IT area of their operations, and for RBI's IT-related functions. Also, it must participate in setting up standards to strengthen RBI's role as a regulator.
Commenting on a Whatsapp group, Saravade said, given the need for interoperability and cross-institutional cooperation, the entity would be expected to be effectively participating in setting up of standards to strengthen RBI's role as a regulator.
It will have advisory committees for guidance on cybersecurity, current and future requirements of entities regulated by the RBI, particularly from regulatory and supervisory perspectives and advise RBI on its IT systems and projects/procedures. It also will report periodically to RBI's apex level committees.
Security practitioners believe Saravade will bring in enormous expertise in cybersecurity. As CEO of DSCI, he was instrumental in spinning off various initiatives that generated additional capacity in improving research capabilities, the skills supply pipeline, the ecosystem for start-ups and product companies, and also worked with the government to improve the policy environment (see interview with Saravade: India Needs New Laws to Fight Fraud).
Saravade also ensured start-up companies got funding, mentoring and branding, with the help of the industry and government.
Also, Saravade's assignment with the IPS as director, cybersecurity and compliance, NASSCOM - involving policy formulation on cybersecurity and privacy, capacity building for law enforcement, advising NASSCOM members on incident response management and organizing mass awareness campaigns on cybersecurity - will help him excel in the new role, practitioners say.
Between 2008 and 2011, Saravade was a member of the High Level Group on Electronic Banking Controls Governance and Technology Risk Management Standards set up by the RBI. He was also chairman, India Payment Risk Council, a body of fraud risk professionals in Indian banks. This was one of the strongest requirements for fulfilling RBI's criteria, security leaders say.
Sameer Ratolikar, CISO of HDFC Bank, says Saravade's appointment, a good move, was in the cards for a few weeks. "The agenda is not clear at this point, but Saravade is assessing it."
N. D. Kundu, CISO of Bank of Baroda, observes that the new Reserve Bank of India subsidiary is expected to process a lot of data, creating a centralized data mining repository: 'It's a huge task for Saravade - to bring about uniform security standardization and risk assessment frameworks across the banking industry."
According to the RBI, initially, the CEO of the new subsidiary will be responsible for establishing an appropriate structure for the unit and a team that suits its requirements.
RBI is seeking four senior vice presidents for various functions, who would report to the CEO (see: RBI Seeks Four VPs for New IT Arm ).
Saravade urged his peers to recommend potential candidates to these senior positions.
Practitioners say Saravade will face challenges, including breaking the bureaucratic mindset of the banking industry. They hope the new subsidiary will not be just another initiative, but really work toward ensuring a cyber secure ecosystem.
"I'm sure the new subsidiary, under Saravade's guidance, will define new ways of securing banking infrastructure with well-defined processes and security standards and services, which banks must adhere to," Kundu says.
With the departure of Saravade, the DSCI - with Rama Vedashree, vice president at Nasscom, as its interim CEO - plans to leverage RBI's strengths in establishing security standards across the financial sector and emulate its model in other sectors, too.
"With the new CEO coming in, I expect the information sharing platform to get more authentic, and future security guidelines to be strictly mandated and not just for compliance reasons," Bareja says.