An interview with Md. Mehedi Hasan, Chief Information Security Officer, Bangladesh Bank
Started his career in a multi-national software development company as a programmer after being graduated in Computer Science and Engineering from Khulna University, Md. Mehedi Hasan is undeniably considered to be a cybersecurity genius in tech industry. He performed different important roles in business transformations and ICT Security in NCC Bank and Uttara Bank Limited throughout his twenty years of experience. Currently, Hasan is holding a position of Chief Information Security Officer at newly created Cyber Security Unit (CSU) in Bangladesh Bank.
Fintech team had a little chit-chat with Mehedi Hasan when he shed his vast experience of banking industry. Here is the excerpt for the Fintech readers.
When did you join in the Central Bank and what changes you have got within this period of time?
Our central bank recently introduced a new area for cyber security platform ‘Cyber Security Unit (CSU)’ and as a Chief Information Security Officer I joined this year on May 31. CSU from the very beginning has started risk assessment program of ICT infrastructure with three components: People, Process and Technology. Risk areas are the first priority and so we have taken the existing asset register, job descriptions of ICT employees, ICT policy and procedures of the bank to analyze the risk areas of ICT infrastructure. Apart from this, CSU so far has taken a core step to conduct a Vulnerability Assessment and Penetration Test (VA/PT) through using our own resources to get in touch with technical vulnerabilities and we are doing this after considering the whole infrastructure and critical applications. The outputs of the risk assessment combining together with the vague vulnerabilities reported by internal and external auditors and therefore we have prepared a risk register. A risk treatment plan is under preparation by CSU based on the Key Risk Indicators (KRIs) of that risk register.
How much it is important to have data center in banking sector?
In a word, it is mostly. Data Center plays a momentous role to ensure banking services by 24X7 since it is the heart of day to day banking. From physical and environmental security for all the servers to networking or even security equipments, all those banking services are survived through data center. Many banks of the country though have built state-of-the-art data center after a huge investment, they all are not certified for their data center. For this, unprecedented downtime may occur anytime in the center and if effective disaster recovery (DR) site is not in place, services may be hampered in the long run and so banks will lose their reputation severely. Let me talk about DC-DR concept. Actually, this concept has lightly changed owing to current threat landscape. DC-Near DC-Far DC right now is used to ensuring a robust business continuity plan for banks. In this regard, DC-Near DC will be considered active-active mode so that if any service is interrupted in DC for any reason may be malware attack or fire attack, it will automatically be switched over to Near DC and users or customers will be unknown to any disruption of service. Then again, Far-DC will be established in different seismic zone at the physical location of DC and Near DC to minimize the vulnerability of major earthquake and so Far-DC here is considered to be the cold site for a bank where it is used as a data backup repository. So, having a data center is not aristocracy, it’s a necessity.
Do you believe importance of physical banking has decreased its appeal due to digital disruption?
Well, it’s not a matter of belief rather it’s happening. Digital banking, if I say before pandemic situation, was getting popular in Bangladesh especially in the new generation of below 30. And banks are highly inspiring their customers for digital banking for cost minimization of physical banking. A survey shows when a customer comes up at a branch of a bank, Tk.70 will be incurred for a single transaction but a cost of Tk.15 will be incurred for the same by the time he has done all this through digital channels like internet banking, ATM, POS Mobile Banking etc. But the scenario has changed its dice for pandemic. As a result, the demand of digital banking is growing rapidly. Even the old generation who were afraid of tech banking is now compelled to embrace the technology banking to avoid the risks of COVID-19. In that case, this culprit coronavirus has paved the way for the banks to introduce digital banking to attract more customers reducing administrative cost as well.
How did you work during lockdown period? And what are the differences you see working in new normal situation compared to lockdown period?
Banking was not postponed during lockdown period. Roster duty was there for the banks of our country and Bangladesh Bank was not exceptional in this perspective for rendering customer services. IT people also continued their day to day activities either online or physically. Online meeting platform during this time has boomed around. Zoom, Streamyard and many more have got their popularity and its continuation is still dominating even after the lockdown. They are playing a crucial role in discharging office activities including other sectors more effectively and efficiently. Even we don’t know when the situation may come under control. Hence, banks should have a short term and long term plan to carry out their regular activities including development of a comprehensive business continuity plan considering the pandemic situation. If lockdown come up again, banks should take a plan of doing remote office activities. Capacity of the VPN concentrator should be there as per requirement of remote workers to ensure secured VPN connections. Moreover, users need to be trained up for this, otherwise hackers may exploit any unsafe remote connection.
Did you implement any innovative plans for banking cyber security?
Yes we did, we do and so will we. We always strive to implement security tools and techniques to address the cyber security issues. But, I said it before that we should plan for people, process and technology to create a robust cyber security system. For example, if a bank procures world’s number one firewall but it may not ensure security for the organization if a dedicated firewall administrator and a standard operating procedure for the firewall administration are not in place. We need to plan for cyber security from holistic approach under Enterprise Risk Management plan and again we need to define owner, custodian and user of each ICT system and define ICT risk responsibilities for them. With a view to implementing it, a bank may consider governance, risk and compliance (GRC) solution to guarantee a visibility of existing risk and compliance status in a single dashboard.
Thank you so much for giving your valuable time to Fintech.
It’s my pleasure talking to Fintech.